RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11

Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue.



**Navigation Menu**

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-27348

**Apache HugeGraph-Server: Command execution in gremlin**

Critical severity GitHub Reviewed Published Apr 22, 2024 to the GitHub Advisory Database • Updated Apr 22, 2024

**Package**

maven org.apache.hugegraph:hugegraph-api (Maven)

**Affected versions**

\>= 1.0.0, < 1.3.0

maven org.apache.hugegraph:hugegraph-core (Maven)

**Description**

Published to the GitHub Advisory Database

Apr 22, 2024

Last updated

Apr 22, 2024

GHSA-29rc-vq7f-x335: Apache HugeGraph-Server: Command execution in gremlin

The five intelligence sources that power social engineering scams.

Source: LightField Studios Inc. via Alamy Stock Photo

COMMENTARY

Social engineering is one of the most prevalent attack vectors used by cyber scammers to infiltrate organizations. These manipulative attacks typically are executed in four phases: 

1.  Information gathering (attacker gathers information about the target)
    
2.  Relationship development (attacker engages the target and earns their trust)
    
3.  Exploitation (attacker persuades the target to carry out an action)
    
4.  Execution (the information collected through exploitation is operationalized to execute the attack)
    

The first phase obviously is the most important — without the right information, it can be difficult to execute a targeted social engineering attack. 

**Five Sources of Intelligence**

So how do attackers gather data about their targets? There are five sources of intelligence cybercriminals can use to gather and analyze information about their targets. They are:

1\. OSINT (open source intelligence)

OSINT is a technique hackers use to collect and assess publicly available information about organizations and their people. Threat actors can use OSINT tools to learn about their target's IT and security infrastructure; exploitable assets such as open ports and email addresses; IP addresses; vulnerabilities in websites, servers, and IoT (Internet of Things) devices; leaked or stolen credentials; and more. Attackers weaponize this information to launch social engineering attacks.

2\. SOCMINT (social media intelligence)

Although SOCMINT is a subset of OSINT, it deserves a mention. Most people voluntarily expose personal and professional details about their lives on popular social media platforms: their headshot, their interests and hobbies, their family, friends and connections, where they live and work, their current job position, and lots of other details. Using SOCINT tools such as Social Analyzer, Whatsmyname, and NameCheckup.com, attackers can filter social media activity and information about an individual and design targeted social engineering scams. 

3\. ADINT (advertising intelligence)

Say you download a free chess app on your phone. There's a small area on the app that serves location-based ads from sponsors and event organizers, updating users on local players, events, and chess meetups. Whenever this ad gets displayed, the app shares certain details about the user with the advertising exchange service, which includes things like IP addresses, the type of operating system in use (iOS or Android), the name of the mobile phone carrier, the user's screen resolution, GPS coordinates, etc. Typically, ad exchanges store and process this information for serving up relevant ads based on user interest, activity, and location. Ad exchanges also sell this valuable data. What if a threat actor or a rogue government buys this information? That's exactly what intelligence agencies and adversaries have been doing to track activity and hack their targets. 

4\. DARKINT (Dark Web intelligence)

The Dark Web is a billion-dollar illicit marketplace transacting corporate espionage services, DIY ransomware kits, drugs and weapons, human trafficking, et al. Billions of stolen records (personally identifiable information, healthcare records, banking and transaction data, corporate data, compromised credentials) are available for purchase on the Dark Web. Threat actors can purchase off-the-shelf data and mobilize it for their social engineering schemes. They can also choose to outsource professionals who will socially engineer people on their behalf or discover hidden vulnerabilities in target organizations. In addition, there are hidden online forums and instant messaging platforms (such as Telegram) where people can access information about potential targets. 

5\. AI-INT (AI intelligence)

Some analysts are calling AI the sixth intelligence discipline, on top of the five core disciplines. With recent advancements in generative AI technology like Google Gemini and ChatGPT, it's not hard to imagine cybercriminals deploying AI tools to mine, assimilate, process, and filter information about their targets. Threat researchers are already reporting the presence of malicious AI-based tools that are popping up in Dark Web forums such as FraudGPT and WormGPT. Such tools can significantly reduce the research time for social engineers and provide actionable information they can use to execute social engineering schemes. 

**What Can Businesses Do to Mitigate Social Engineering Attacks?**

The root cause of all social engineering attacks is information and the careless handling of it. If businesses and employees can reduce their information exposure, they will lower social engineering attacks by a significant degree. Here's how:

*   Train staff monthly: Using phishing simulators and classroom training, teach employees to avoid posting sensitive or personal information about themselves, their families, their coworkers, or the organization.
    
*   Draft AI-use policies: Make it clear to employees what is acceptable and unacceptable online behavior. For example, prompting ChatGPT with a line of code or proprietary data is unacceptable; responding to unusual or suspicious requests without proper verification is unacceptable.
    
*   Leverage the same tools hackers use: Use the same intelligence sources highlighted above to proactively understand how much information about your organization, your people, and your infrastructure is available online. Develop an ongoing process to reduce that exposure.
    

Good cybersecurity hygiene begins with clamping down on root causes. The root cause behind 80% to 90% of all cyberattacks is attributed to social engineering and bad judgement. Organizations must focus on two things primarily: reducing information exposure and controlling human behavior via training exercises and education. By applying efforts in these two areas, organizations can significantly reduce their threat exposure and the potential downstream impact of that exposure.

**About the Author(s)**

Founder & CEO, KnowBe4, Inc.

Stu Sjouwerman is founder and CEO of KnowBe4, provider of the world’s largest security awareness training and simulated phishing platform used by more than 65,000 organizations around the globe. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses.

Where Hackers Find Your Weak Spots

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

A ransomware gang claimed responsibility for the attack, though it is unknown if a ransom was demanded or paid.

The UN City building located in Copenhagen, DenmarkSource: BERK OZDEMIR via Alamy Stock Photo

The United Nations Development Programme (UNDP) became the victim of a cyberattack in late March, which also impacted the IT infrastructure of the city of Copenhagen, Denmark. 

The UNDP received word of a data-extortion actor stealing its data, some of it related to human resources and procurement. 

As the agency continues to assess the scope of the attack, the UNDP noted in a statement that "actions were immediately taken to identify a potential source and contain the affected server."

The UNDP determined which data was exposed and who is at risk because of the breach. It's also been in contact with those who have been impacted, as well as with stakeholders, such as UN system partners. 

Though the UNDP has not confirmed who the threat actor was, 8Base, a ransomware gang, updated its website in early April, listing UNDP as one of its victims, along with three other entities. The group commented that information such as personal data, certificates, "a huge amount of confidential information," and invoices, among other things, were uploaded to the servers.

UNDP made no subsequent comment and didn't address whether a ransom has been demanded or paid.

**About the Author(s)**

UNDP, City of Copenhagen Targeted in Data-Extortion Cyberattack

CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent user into handing over their high-value credentials.

Source: II.studio via Shutterstock

An ongoing, highly sophisticated phishing campaign may have led some LastPass users to give up their all-important master passwords to hackers.

Password managers store all of a user's passwords — for Instagram, their job, and everything in between — in one place, protected by one "master" password. They unburden users from having to remember credentials for hundreds of accounts, and empower them to use more complicated, unique passwords for each account. On the other hand, if a threat actor gains access to the master password, they'll have keys to every single one of the accounts within.

Enter CryptoChameleon, a new, hands-on phishing kit of unparalleled realism. 

CryptoChameleon attacks tend not to be so widespread, but they're successful at a clip largely unseen across the cybercrime world, "which is why we typically see this targeting enterprises and other very high-value targets," explains David Richardson, vice president of threat intelligence at Lookout, which first identified and reported the latest campaign to LastPass. "A password vault is a natural extension, because you're obviously going to be able to monetize that at the end of the day."

Thus far, CryptoChameleon has managed to ensnare at least eight LastPass customers — but likely more — potentially exposing their master passwords.

**A Brief History of CryptoChameleon**

At first, CryptoChameleon looked like any other phishing kit.

Its operators had been around since late last year. In January, they began by targeting the cryptocurrency exchanges Coinbase and Binance. This initial targeting, plus its highly customizable toolset, earned it its name.

The picture changed in February, though, when they registered the domain fcc-okta\[.\]com, mimicking the Okta Single Sign On (SSO) page belonging to the US's Federal Communications Commission (FCC). "That suddenly made this rise from one of many consumer phishing kits that we see out there, to something that's going to pivot into targeting the enterprise, going after corporate credentials," Richardson recalls.

Richardson confirmed to Dark Reading that FCC employees were impacted, but could not say how many or whether the attacks led to any consequences for the agency. It was a sophisticated attack, he notes, that he expects to have worked even on trained employees.

The problem with CryptoChameleon wasn't just who it was targeting, but how well it did at defeating them. Its trick was thorough, patient, hands-on engagement with victims.

Consider, for example, the current campaign against LastPass.

It begins when a customer receives a call from an 888 number. A robo caller informs the customer that their account has been accessed from a new device. It then prompts them to press "1" to allow access, or "2" to block it. After pressing "2," they're told that they'll be receiving a call shortly from a customer service representative in order to "close the ticket."

Then the call comes in. Unbeknownst to the recipient, it's from a spoofed number. On the other end of the line is a live person, typically with an American accent. Other CryptoChameleon victims have also reported speaking with British agents.

"The agent has professional call center communication skills, and offers genuinely good advice," Richardson recalls from his many conversations with victims. "So, for example, they might say: 'I want you to write down this support phone number for me.' And they have victims write down the real support phone number for whoever they're impersonating. And then they give them a whole lecture: 'Only call us on this number.' I had a victim report that they actually said, 'For quality and training purposes, this call is being recorded.' They're using the full call script, everything that you can think of to make someone believe that they're really talking to this company right now."

This supposed support agent informs the user that they'll be sending an email shortly, allowing the user to reset access to their account. In fact, this is a malicious email containing a shortened URL, directing them to a phishing site.

The helpful support agent watches in real time as the user enters their master password into the copycat site. Then they use it to log into their account, and immediately change the primary phone number, email address, and master password, thereby locking the victim out for good.

All the while, Richardson says, "They don't realize it's a scam — none of the victims I talked to. One person said, 'I don't think I ever entered my master password in there.' \[I told them\] 'You spent 23 minutes on the phone with these guys. You probably did.'"

**The Damage**

LastPass shut down the suspicious domain used in the attack — help-lastpass\[.\]com — shortly after it went live. The attackers have been persistent, though, continuing their activity under a new IP address.

With visibility into the attackers' internal systems, Richardson was able to identify at least eight victims. He also offered evidence (which Dark Reading is keeping confidential) indicating that there may have been more than that.

When asked for further information, LastPass senior intelligence analyst Mike Kosak told Dark Reading, "We do not disclose details on the number of customers who are impacted by this type of campaign, but we support any customer who may be a victim of this and other scams. We encourage people to report potential phishing scams and other nefarious activity impersonating LastPass to us at \[email protected\]."

**Is There Any Defense?**

Because hands-on CryptoChameleon attackers talk their victims through any potential security barriers like multifactor authentication (MFA), defending against them begins with awareness.

"People need to be aware that attackers can spoof phone numbers — that just because an 800 or 888 number calls you, it doesn't mean that it's legitimate," Richardson says, adding that  "just because there's an American on the other end of the line also does not mean that it's legitimate."

In fact, he says, "Don't answer the phone from unknown callers. I know that's a sad reality of the world that we live in today."

Even with all the awareness and precautionary measures known to business users and consumers, though, a particularly sophisticated social engineering attack might still get through.

"One of the CryptoChameleon victims I talked to was a retired IT professional," Richardson recalls. "He said, 'I've gotten training my whole life to not fall for these kinds of attacks. Somehow I fell for it'."

LastPass has asked Dark Reading to remind customers of the following:

*   Ignore any unsolicited or unprompted incoming phone calls (automated or with a live individual) or texts claiming to be from LastPass related to a recent attempt to change your password and/or account information. These are part of an ongoing phishing campaign. 
    
*   If you do see this activity and are concerned you may have been compromised, contact the company at \[email protected\].
    
*   And finally, LastPass will never ask you for your password.
    

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Multiple LastPass Users Lose Master Passwords to Ultra-Convincing Scam

Airbnb's Allyn Stott recommends adding the Human Maturity Model (HMM) and the SABRE framework to complement MITRE ATT&CK to improve security metrics analysis.

Source: Dzmitry Skazau via Alamy Stock Photo

Sorting the false positives from the true positives: Ask any security operations center professional, and they'll tell you it's one of the most challenging aspects of developing a detection and response program.

As the volume of threats continues to rise, having an effective approach to measuring and analyzing this kind of performance data has become more critical to an organization's detection and response program. On Friday at the Black Hat Asia conference in Singapore, Allyn Stott, senior staff engineer at Airbnb, encouraged security professionals to reconsider how they use such metrics in their detection and response programs — a topic he broached last year's Black Hat Europe.

"At the end of that talk, a lot of the feedback I received was, 'This is great, but we really want to know how we can get better at metrics,'" Stott tells Dark Reading. "That's an area where I've seen a lot of struggles."

**The Importance of Metrics**

Metrics are critical in assessing the effectiveness of a detection and response program because they drive improvement, reduce the impact of threats, and validate investment by demonstrating how the program lowers risk to the business, Stott says.

"Metrics help us communicate what we do and why people should care," Stott says. "That's especially important in detection and response because it's very difficult to understand from a business perspective.”

The most critical area for delivering effective metrics is alert volume: "Every security operations center I've ever worked in or ever walked foot in, it's their primary metric," Stott says.

Knowing how many alerts are coming in is important but, by itself, is still not enough, he adds.

"The question is always, 'How many alerts are we seeing?'" Stott says. "And that doesn't tell you anything. I mean, it tells you how many alerts the organization receives. But it doesn't actually tell you if your detection and response program is catching more things."

Effectively leveraging metrics can be complex and labor-intensive, adding to the challenge of effectively measuring threat data, Stott says. He acknowledges that he has made his share of mistakes when it comes to engineering metrics to assess the effectiveness of security operations.

As an engineer, Stott routinely evaluates the effectiveness of the searches he conducts and the tools he uses, seeking to get accurate true- and false-positive rates for detected threats. The challenge for him and most security professionals is connecting that information to the business.

**Implementing Frameworks Properly Is Critical **

One of his biggest mistakes was his approach in focusing too much on the MITRE ATT&CK framework. While Stott says he believes it provides critical details on threat actors' different threat techniques and activities and organizations should use it, that doesn't mean they should apply it to everything.

"Every technique can have 10, 15, 20, or 100 different variations," he says. "And so having 100% coverage is kind of a crazy endeavor."

Besides MITRE ATT&CK, Stott recommends using the SANS Institute's Hunting Maturity Model (HMM), which helps describe an organization's existing threat-hunting capability and provides a blueprint for improving it.

"It gives you the ability to, as a metric, say where you're at as far as your maturity today and how the investments you're planning to make or the projects you're planning to do will increase your maturity," Stott says.

He also recommends using the Security Institute's SABRE framework, which provides risk management and security performance metrics validated with third-party certifications.

"Rather than test across all of the MITRE ATT&CK framework, you're actually working on a prioritized list of techniques, which includes using MITRE ATT&CK as a tool," he says. "That way, you're not just looking at your threat intel but also at security incidents and threats that would be critical risks for the organization."

Use of these guidelines for metrics requires buy-in from CISOs, since it means gaining organizational adherence to these different maturity models. Nevertheless, it tends to be driven by a bottom-up approach, where threat intelligence engineers are the early drivers.

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Rethinking How You Work With Detection and Response Metrics

### Summary
This is basically [GHSA-88j4-pcx8-q4q](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3) but instead of changing passwords, when enabling authentication.

### PoC
- Open Uptime Kuma with authentication disabled
- Enable authentication using another window
- Access the platform using the previously logged-in window
- Note that access (read-write) remains despite the enabled authentication
- Expected behaviour:
  - After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
- Actual behaviour:
  - The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.

### Impact
See [GHSA-g9v2-wqcj-j99g](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-g9v2-wqcj-j99g) and [GHSA-88j4-pcx8-q4q](https://github.com/louislam/uptime-kuma/security/advisories/GHSA-88j4-pcx8-q4q3)

TBH this is quite a niche edge case, so I don't know if this even warrants a security report.  


Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-23q2-5gf8-gjpp

**Enabling Authentication does not close all logged in socket connections immediately**

Low severity GitHub Reviewed Published Apr 19, 2024 in louislam/uptime-kuma • Updated Apr 19, 2024

**Package**

npm uptime-kuma (npm)

**Affected versions**

<= 1.23.11

**Description**

**Summary**

This is basically GHSA-88j4-pcx8-q4q but instead of changing passwords, when enabling authentication.

**PoC**

*   Open Uptime Kuma with authentication disabled
*   Enable authentication using another window
*   Access the platform using the previously logged-in window
*   Note that access (read-write) remains despite the enabled authentication
*   Expected behaviour:
    *   After enabling authentication, all previously connected sessions should be invalidated, requiring users to log in.
*   Actual behaviour:
    *   The system retains sessions and never logs out users unless explicitly done by clicking logout or refreshing the page.

**Impact**

See GHSA-g9v2-wqcj-j99g and GHSA-88j4-pcx8-q4q

TBH this is quite a niche edge case, so I don't know if this even warrants a security report.

**References**

*   GHSA-23q2-5gf8-gjpp
*   GHSA-88j4-pcx8-q4q3
*   GHSA-g9v2-wqcj-j99g
*   louislam/uptime-kuma@7a9e2f5

Published to the GitHub Advisory Database

Apr 19, 2024

Last updated

Apr 19, 2024

GHSA-23q2-5gf8-gjpp: Enabling Authentication does not close all logged in socket connections immediately 

By Waqas
Fear AI taking your IT or cybersecurity job? Don't! Learn how AI creates new opportunities in network management, threat detection & more.
This is a post from HackRead.com Read the original post: IT and Cybersecurity Jobs in the Age of Emerging AI Technologies

Artificial intelligence (AI) is rapidly transforming industries, and IT and cybersecurity are no exception. While some fear AI replacing human workers, the reality is far more subtle. AI will undoubtedly automate tasks, but it will also create entirely new job opportunities in both the IT and cybersecurity sectors.

According to the cybersecurity and IT certification exam practice platform Examice, the IT sector has become more lucrative than ever before due to the sudden emergence of AI applications. This growth has caused the need for skilled professionals capable of managing and securing AI-driven systems.

ISC2’s AI Cyber 2024 study also reveals a strong sense of optimism among respondents, with 82% expressing belief in AI’s potential to enhance job efficiency. Additionally, 56% anticipate AI streamlining certain job tasks, thereby allowing more time for tasks of higher value. However, there is a general concern among 75% of respondents regarding the potential misuse of AI for cyberattacks and other malicious purposes.

This article explores how AI will impact these fields and the skills that will be most in demand in the coming years.

****AI’s Impact on IT****

AI’s integration into IT optimises operational tasks and promotes innovation, allowing IT professionals to focus on more strategic initiatives. Here are three key impacts of AI on the IT sector:

*   **Automation of Mundane Tasks:** AI will take over repetitive tasks like server management, software configuration, and basic troubleshooting. This will free up IT professionals to focus on more strategic initiatives like cloud migration, data center optimization, and user experience design.
*   **Enhanced Network Management:** AI-powered tools will proactively monitor networks, identify potential issues, and even take corrective actions before problems arise. This will lead to increased network uptime and efficiency.
*   **The Rise of AI-powered Support:** Chatbots and virtual assistants powered by AI will handle routine user inquiries, freeing up IT staff to address more complex issues.

****New Opportunities in IT****

While adding innovation to the Information Technology sector AI is also creating new opportunities for professionals, job seekers and entrepreneurs. Here are three among countless opportunities that professionals are already taking advantage of, thanks to AI:

*   **AI Integration Specialists:** Businesses will need specialists to integrate AI solutions into existing IT infrastructure and ensure seamless operation.
*   **Data Scientists and Analysts:** The vast amount of data generated by AI systems will require skilled data scientists to analyze it and extract valuable insights.
*   **IT Security Specialists for AI:** As AI becomes more prevalent, securing these systems against cyberattacks will be crucial. This will create a demand for IT security professionals with expertise in AI vulnerabilities.

****AI and Cybersecurity****

Cybersecurity is already a lucrative sector. While hackers can earn big bucks, they also protect and serve their countries by protecting their critical infrastructure from devastating cyber attacks.

It is also a fact that as the cybersecurity sector grows the same can be said about cyber attacks and cyber criminals. Here are 6 key things AI can or is already helping organisations with:

*   **AI-powered Threat Detection:** AI can analyze network traffic patterns and identify malicious activity with greater accuracy and speed than traditional methods. This will be crucial in the fight against increasingly sophisticated cyberattacks.
*   **Vulnerability Detection:** AI can continuously scan systems for vulnerabilities and recommend patches before attackers can exploit them.
*   **AI-driven Phishing Detection:** AI can analyze emails and identify subtle language cues that might indicate a phishing attempt.

*   **Expertise in AI Security:** Understanding how AI systems work and the specific security challenges they pose will be essential.
*   **Human-AI Collaboration:** Security professionals will need to be adept at working alongside AI tools to leverage their combined strengths.
*   **Strong Analytical Skills:** The ability to analyze data and identify security threats will remain a critical skill.

****The Future is Bright****

The rise of AI will undoubtedly change the future of the IT and cybersecurity sectors. However, these changes will not lead to widespread job displacement. Instead, AI will create new opportunities for professionals who are willing to adapt and develop the skills needed to thrive in this evolving environment.

However, cybercriminals are also monitoring the rise of AI. Malicious versions of AI chatbots, such as WormGPT and FraudGPT, are prime examples. Therefore, authorities must take necessary measures to prevent the misuse of AI, while simultaneously fostering its beneficial applications in the IT and cybersecurity domains.

1.  The Most In-Demand Freelance Skills
2.  AI-Powered Scams Fuel Global Cybercrime Surge: INTERPOL
3.  Microsoft is Opening AI-Powered “Copilot for Security” to Public
4.  Mockingbird AI Tool Detects Deepfake Audio with 90% accuracy
5.  Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam

Tag

#auth