Ubuntu Security Notice 6454-2 - Kyle Zeng discovered that the netfilter subsystem in the Linux kernel contained a race condition in IP set operations in certain situations. A local attacker could use this to cause a denial of service. Alex Birnberg discovered that the netfilter subsystem in the Linux kernel did not properly validate register length, leading to an out-of- bounds write vulnerability. A local attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-6454-2October 30, 2023linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspivulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10Summary:Several security issues were fixed in the Linux kernel.Software Description:- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systemsDetails:Kyle Zeng discovered that the netfilter subsystem in the Linux kernelcontained a race condition in IP set operations in certain situations. Alocal attacker could use this to cause a denial of service (system crash).(CVE-2023-42756)Alex Birnberg discovered that the netfilter subsystem in the Linux kerneldid not properly validate register length, leading to an out-of- boundswrite vulnerability. A local attacker could possibly use this to cause adenial of service (system crash). (CVE-2023-4881)It was discovered that the Quick Fair Queueing scheduler implementation inthe Linux kernel did not properly handle network packets in certainconditions, leading to a use after free vulnerability. A local attackercould use this to cause a denial of service (system crash) or possiblyexecute arbitrary code. (CVE-2023-4921)Kevin Rich discovered that the netfilter subsystem in the Linux kernel didnot properly handle removal of rules from chain bindings in certaincircumstances, leading to a use-after-free vulnerability. A local attackercould possibly use this to cause a denial of service (system crash) orexecute arbitrary code. (CVE-2023-5197)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10:   linux-image-6.5.0-1006-raspi    6.5.0-1006.8   linux-image-6.5.0-1008-azure    6.5.0-1008.8   linux-image-6.5.0-1008-azure-fde  6.5.0-1008.8   linux-image-6.5.0-1008-gcp      6.5.0-1008.8   linux-image-6.5.0-1009-aws      6.5.0-1009.9   linux-image-6.5.0-1011-oracle   6.5.0-1011.11   linux-image-aws                 6.5.0.1009.9   linux-image-azure               6.5.0.1008.10   linux-image-azure-fde           6.5.0.1008.10   linux-image-gcp                 6.5.0.1008.8   linux-image-oracle              6.5.0.1011.11   linux-image-raspi               6.5.0.1006.7   linux-image-raspi-nolpae        6.5.0.1006.7After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:   https://ubuntu.com/security/notices/USN-6454-2   https://ubuntu.com/security/notices/USN-6454-1   CVE-2023-42756, CVE-2023-4881, CVE-2023-4921, CVE-2023-5197Package Information:   https://launchpad.net/ubuntu/+source/linux-aws/6.5.0-1009.9   https://launchpad.net/ubuntu/+source/linux-azure/6.5.0-1008.8   https://launchpad.net/ubuntu/+source/linux-gcp/6.5.0-1008.8   https://launchpad.net/ubuntu/+source/linux-oracle/6.5.0-1011.11   https://launchpad.net/ubuntu/+source/linux-raspi/6.5.0-1006.8

Ubuntu Security Notice USN-6454-2

VinChin Backup and Recovery in VinChin VMWare Backup versions 5.0 through 7.0 suffers from hardcoded credential and remote code execution vulnerabilities.

    VinChin Backup & Recovery is an all-in-one backup solution for virtual infrastructures supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.VinChin has failed to acknowledge the various requests over a month period, we are thus disclosing the following vulnerabilities:CVE-2023-45499 - VinChin VMWare Backup 5.0 to 7.0During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.CVE-2023-45498 - VinChin VMWare Backup 5.0 to 7.0While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.Timeline:2023-09-22: LeakIX makes initial contact2023-09-25: VinChin request details2023-09-25: LeakIX request Safe harbour2023-09-26: No reply, LeakIX requests update2023-09-27: No reply, LeakIX sends PoC2023-09-29: No reply, LeakIX requests feedback2023-10-05: No reply, LeakIX requests feedback2023-10-10: No reply, LeakIX requests feedback from alternative email2023-10-11: No reply, LeakIX requests feedback from another alternative email2023-10-16: No reply, CVE reserved and vendor notified2023-10-18: No reply, LeakIX sent 7 day disclosure warning2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.2023-10-26: No reply, Publishing this advisory

VinChin VMWare Backup 7.0 Hardcoded Credential / Remote Code Execution

Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other

Webinar / Web App Security

Modern web app development relies on cloud infrastructure and containerization. These technologies scale on demand, handling millions of daily file transfers – it's almost impossible to imagine a world without them. However, they also introduce multiple attack vectors that exploit file uploads when working with public clouds, vulnerabilities in containers hosting web applications, and many other persistent threats.

We surveyed organizations responsible for securing critical web applications used by healthcare, financial services, technology, and other critical infrastructure verticals to learn how they tackle the most destructive threats and summarized our findings in the OPSWAT 2023 State of Web Application Security Report. The survey report revealed that:

*   97% of organizations use or will deploy containers in their web hosting environments.
*   75% use cloud storage access solutions and want to prevent malware, secure sensitive data, and mitigate security compliance risks.
*   94% connect to other storage services and are interested in stopping malicious files from infecting your storage.
*   Yet only 2% of organizations feel confident with current security strategies.

In this webinar, join our panel of web application security experts as they expand on the insights gathered while protecting the world's most critical applications.

Our experts will also share five must-know web application security insights, including:

1.  **The leap to cloud infrastructure, how to elevate security without hindering performance.**

Platforms like Microsoft Azure, Amazon Web Services, and Google Cloud Platform are ubiquitous for hosting web applications. However, embracing public cloud hosting without implementing the requisite security measures exposes applications to data breaches.

3.  **Containerization security risks, why you need to fortify your builds.**

Despite significant advantages, containers may bring additional security risks. Malware or vulnerabilities hidden in containers hosting web applications can disrupt business, risk customer data, and lead to compliance violations.

5.  **Strategies to secure file storage while defeating persistent threats and achieving security compliance.**

You must check files for malware and sensitive data to prevent breaches and ensure compliance. Our panel will outline pitfalls and tools you can use to avoid costly and embarrassing data leaks.

7.  **Best practices to secure your software supply chain by locking down every stage of the dev lifecycle.**

Organizations must implement automated tools, services, and standards that enable teams to securely develop, secure, deploy, and operate applications.

9.  **Proven technologies to prevent file-borne and zero-day malware by disarming threats at the perimeter.**

Despite most organizations increasing their security budgets, most only use five or fewer AV engines to detect malicious files. Surprisingly, very few disarm files with potentially dangerous payloads with Content Disarm and Reconstruction (CDR) technology.

Join our panel of cybersecurity veterans Emo Gokay, Multi-Cloud Security Engineer at EY Technologies and George Prichici, VP of Products at OPSWAT, as they share insights and strategies gathered from the frontlines of securing critical infrastructure from advanced and persistent malware.

**Register now to walk away with five key web application security insights and strategies**.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Webinar: 5 Must-Know Trends Impacting AppSec

A new ongoing campaign dubbed EleKtra-Leak has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.
"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and

Cloud Security / Cryptocurrency

A new ongoing campaign dubbed **EleKtra-Leak** has set its eyes on exposed Amazon Web Service (AWS) identity and access management (IAM) credentials within public GitHub repositories to facilitate cryptojacking activities.

"As a result of this, the threat actor associated with the campaign was able to create multiple AWS Elastic Compute (EC2) instances that they used for wide-ranging and long-lasting cryptojacking operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said in a technical report shared with The Hacker News.

The operation, active since at least December 2020, is designed to mine Monero from as many as 474 unique Amazon EC2 instances between August 30 and October 6, 2023.

A standout aspect of the attacks is the automated targeting of AWS IAM credentials within four minutes of their initial exposure on GitHub, indicating that threat actors are programmatically cloning and scanning the repositories to capture the exposed keys.

The adversary has also been observed blocklisting AWS accounts that publicize IAM credentials in what's likely seen as an effort to prevent further analysis.

There is evidence to suggest that the attacker may also have been linked to another cryptojacking campaign disclosed by Intezer in January 2021 aimed at poorly secured Docker services using the same bespoke mining software.

Part of the campaign's success lies in the exploitation of blindspots in GitHub's secret scanning feature and AWS' AWSCompromisedKeyQuarantine policy to flag and prevent the misuse of compromised or exposed IAM credentials to run or start EC2 instances.

While the quarantine policy is applied within two minutes of the AWS credentials being publicly accessible on GitHub, it's being suspected that the keys are being exposed through an as-yet-undetermined method.

Unit 42 said that the "threat actor might be able to find exposed AWS keys that aren't automatically detected by AWS and subsequently control these keys outside of the AWSCompromisedKeyQuarantine policy."

In the attack chains discovered by the cybersecurity company, the stolen AWS credentials are used to perform an account reconnaissance operation, followed by creating AWS security groups and launching multiple EC2 instances across various regions from behind a virtual private network (VPN).

The cryptomining operations are conducted on c5a.24xlarge AWS instances owing to their higher processing power, allowing its operators to mine more cryptocurrency in a shorter period of time.

The mining software used to carry out cryptojacking is fetched from a Google Drive URL, highlighting a pattern of malicious actors leveraging the trust associated with widely used applications to fly under the radar.

"The type of Amazon Machine Images (AMI) the threat actor used was also distinctive," the researchers said. "The identified images were private and they were not listed in the AWS Marketplace."

To mitigate such attacks, organizations that accidentally expose AWS IAM credentials are recommended to immediately revoke any API connections using the keys, remove them from the GitHub repository, and audit GitHub repository cloning events for any suspicious operations.

"The threat actor can detect and launch a full-scale mining operation within five minutes from the time of an AWS IAM credential being exposed in a public GitHub repository," the researchers said. "Despite successful AWS quarantine policies, the campaign maintains continuous fluctuation in the number and frequency of compromised victim accounts."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

 EleKtra-Leak Cryptojacking Attacks Exploit AWS IAM Credentials Exposed on GitHub

CrowdStrike is moving deeper into application security with its agreement to acquire Bionic, provider of ASPM technology that proactively scans software in production for vulnerabilities.

CrowdStrike’s acquisition of Bionic last month is an example of how the company is strengthening its cloud security offerings.

Omdia senior principal analyst Rik Turner believes Bionic will lift CrowdStrike, best known as a leading extended detection and response (XDR), into a significant player in reactive cloud security. "This deal not only takes CrowdStrike into the world of AppSec but also the proactive side of the security market," Turner wrote in a research note.

The acquisition brings Cloud Native Application Protection Platform (CNAPP) and Application Security Posture Management (ASPM) capabilities to CrowdStrike’s Falcon platform. The company plans to combine the Falcon Horizon Cloud Security Posture Management (CSPM) and Falcon Cloud Workload Protection (CWP) modules with Bionic’s technology into a unified dashboard to allow DevOps teams the ability to prioritize cloud security incidents, mitigate runtime threats and provide threat hunting, the company said. Bionic said its ASPM features proactively discovers security, data privacy, and operational risks by continuously scanning and analyzing an organization’s application architecture and software dependencies to uncover any anomalies. Notably, it provides views into the security posture of applications in production.

At CrowdStrike’s Fal.Con user event last month, CrowdStrike president Mike Sentonas demonstrated how Bionic can expand CrowdStrike’s cloud security portfolio to include cloud infrastructure entitlement management (CIEM) capabilities. Bionic can provide visibility into Amazon Web Services and Microsoft Azure applications and the third-party services they communicate with, Sentonas said.

Developers update microservices and serverless functions daily through their CI/CD pipelines. Sentonas showed how Bionic mapped 102 application services, presented their dependencies, and identified how they communicate with each other. “You can drill into each cloud and see what business applications are running,” he said.

Proactive security consists of tools that can identify and remediate vulnerabilities, excessive access permissions and misconfigurations before threat actors discover and exploit them, according to Omdia’s Turner. “It is an approach that complements rather than replaces reactive security, effectively reducing the attack surface that reactive platforms such as XDR and the SIEM/SOAR continuum must address,” Turner said.

Many CrowdStrike customers attending the Fal.Con were familiar with Bionic, and some say they intend to evaluate it, such as Prabhath Karanth, global head of security and Trust at Navan (formerly TripAdvisor). "I’ve looked at Bionic in the past, and they have really good runtime application security technology in the context of the infrastructure," Karanth says.

"It sounds like they want to approach the problem from a runtime perspective and address the problem of running your applications and containers and all of that in production," Karanth says. "Because in a distributed microservices architecture, where your application is sitting in a containerized environment, this container runtime security becomes critical. I’d like to know more. It was just announced. But I think it’s a very strategic acquisition."

Bionic gives organizations a comprehensive view of the risk associated with everything that’s running in the cloud — the applications, the microservices, and everything that’s connected to it — which really represents risk, CrowdStrike founder and CEO George Kurtz said during the opening keynote at the Fal.Con event last month.

"The beauty and the magic of this technology is that you don’t need source code, or you don’t have to plug in the libraries," Kurtz said.

What the Bionic Acquisition Can Bring to CrowdStrike

An issue was discovered in VERMEG AgileReporter 21.3. Attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log.

For a strategic solution you seek:

*   Cost reduction & risk reduction
*   Efficiency optimisation
*   Embedded regulatory change management
*   Straight through process control
*   Senior management certification obligations
*   Regulatory reporting certainty, globally
*   Machine-readable regulatory reporting readiness

**SaaS**

Reduce your TCO. Let VERMEG handle the IT complexity​

**AGILE MI**

Gain valuable insights from your regulatory data​​

**AGILE Assure**

Bring the DataOps revolution to your regulatory data management ​​

​​

**Digital Transformation**

Extend, customise and innovate with AGILE Design Studio and Veggo ​​

**AGILE Reporter value for our clients**

Calculation & allocation: Comprehensive calculations from Basel III risks to national statistical allocations

Ratios: Credit & Market Risk, Leverage, Liquidity Coverage, Large Exposures, IRFS standard computations, integration of models and own analysis reporting

International reporting: Coverage including EBA & ECB (COREP, AnaCredit etc), and multiple international regulators in EU, UK, US, and MAS, HKMA, APRA and others

Added value: Capital utilisation, CFO & management information, dashboard status, threshold alerts, key performance metrics

Change management: VERMEG regulatory change management includes horizon management, impact analyses, data deltas and reporting update service

Workflow and maximised automation: Validations, variance, trend and other sanity checks achieve optimised straight-through processing

Process control: Enjoy ‘exceptions only’ intervention & instantly traceable attestation & approval audit trail

Sized & delivered to suit you: Choose from enterprise-wide full automation, or local last mile, on premise, in the cloud or Regulatory-Reporting-As-A-Service

Download our brochure about AGILE Reporter (PDF).

Granular Data Reporting – a new paradigm of innovation in regulatory reporting or just new challenges?

**Download the Whitepaper**

**Client stories**

**Client 1  
Tier 1 Domestic Bank**

**Challenge**

*   To find a Regulatory Reporting solution capable of integrating with external calculation and processing capabilities
*   To reduce operational risk
*   To increase reporting consistency and transparency
*   To facilitate accelerated regulatory change management

**Client 2  
Neobank growing from start-up**

**Challenge**

*   To find a partner for its Finance team to assist with regulatory reporting requirements in the immediate term and the future as the organisation evolves and scales to a fully fledged bank.
*   The need for a solution/system that minimises the resource requirements of bank’s teams in the areas of Solution Delivery
*   To find a vendor to provide not just a solution but also subject matter expertise to complement the in house team, and to ensure all new regulatory reporting requirements can be met.

**Solution**

*   Provision of AGILE Reporter’s out of the box integration to Oracle’s OFSAA (Oracle Financial Services Analytical Applications) platform.
*   Improved Straight Through Processing (STP) achieved from direct coupling of outputs from OFSAA Results data to AGILE Reporter.
*   VERMEG Subject Matter Expertise around the interpretation of client requirements and business for reporting purposes and the delivery of the operational process to fulfil these.
*   Ability to incorporate data from sources outside of OFSAA into regulatory reporting workflow to ensure completeness of automated reporting coverage.

**Solution**

*   Full scope automated AGILE Reporter deployment
*   VERMEG regulatory expertise to provide guidance on current and future regulatory requirements
*   Analysis Module to facilitate Bank scrutiny of Regulatory Data
*   Hosted on VERMEG cloud platform (Amazon Web Services)

**Results**

*   Streamlined overall Regulatory Reporting workflow while minimising manual intervention in the process
*   Increased accuracy of reporting results through use of the consolidated platform
*   Transparency of process by providing lineage of reporting data from source to regulatory return

**Results**

*   Automated, end-to-end solution providing population of regulatory returns from source data without manual intervention or work arounds
*   Flexible data mapping that meets the needs of a growing business and an evolving IT Architecture
*   Consistent data lineage from source through to final returns
*   Comprehensive validation checks ensure integrity of regulator submissions
*   Cloud solution minimises burden on Bank’s technical resources with regard to both delivery and ongoing maintenance

****Awards & Certifications****

**VEREMG is delighted to share that we were recently awarded ‘Best Vendor Solution for APRA APS 220′ AND ‘Best MAS 610 Solution’ by the RegTech Insight APAC Awards 2022 for our AGILE Reporter solution.**

Read More

CVE-2022-34834: AgileReporter | Regulatory Reporting Solution by VERMEG

Preventative security should be driven by data and risk assessment, not compliance.

As organizations increasingly move their data and workloads to the cloud, securing cloud identities has become paramount. Identities are the keys to accessing cloud resources, and, if compromised, they enable attackers to gain access to sensitive data and systems.

Most attacks we see today are client-side attacks, in which attackers compromise someone's account and use their privileges to move laterally and access sensitive data and resources. To prevent this, you need visibility into your cloud's identity infrastructure. Unless you know the identity of all the people and objects that are accessing systems, their permissions, and their relationships, you won't have the context necessary to effectively assess your risk and take preventative measures.

A number of high-profile attacks illustrate this problem. A compromised cloud identity gave attackers access to SolarWinds' Orion software, where they deployed malicious code to thousands of their customers, including government agencies and Fortune 500 companies. Another example is the Microsoft Exchange attack, in which attackers exploited a vulnerability in Exchange to gain access to email accounts. From there, they stole sensitive data and sent phishing emails in an attempt to compromise other accounts.

For securing the cloud, I advise implementing an approach known as applied risk, which allows security practitioners to make decisions about preventative actions based on contextual data about the relationship between identities and what the downstream impacts of threats are in their specific environments. Here are some practical tips for adopting applied risk.

**Treat Cloud Protection as a Security Project, Not a Compliance Exercise**

For starters, shift your mindset. Gone are the simple days of client-server computing. The cloud environment is a complicated system of data, users, systems, and interactions between all of them.

Checking a series of boxes won't bring greater security if you don't understand how everything works together. Most teams take an unguided approach to preventive security, putting blind faith in the prioritization and remediation strategy put in place years ago. Yet security requires a bespoke approach tailored to every security team based on the organization's broader risk exposure. Not every "critical" alert from a security vendor is necessarily the biggest risk to that specific environment.

To accurately prioritize remediation and reduce risk, you must consider the entire attack surface. Understanding the relationships between exposures, assets, and users help you to determine which issues pose the greatest risk. When you take into account additional context, the "critical" finding may not be the biggest issue.

**Get Visibility Into Your Cloud Identity Infrastructure**

Next, visibility is key. To credibly identify the applied risk, you should do a comprehensive audit of all the identities and access control points in your cloud identity infrastructure. You need to know what resources you have in your environment, whether they're in the cloud or on-premises, how they're provisioned and configured, and other variables.

When securing the cloud, you can't only look at how cloud-specific resources are configured — you have to audit the identity aspect: virtual machines (VMs), serverless functions, Kubernetes clusters, and containers, for instance. One admin may have an account tied to AWS, an Active Directory account with a different role to log into their local systems, an account on GitHub, a Salesforce account, etc. You also have to consider things like the hygiene of the machines that the developers, DevOps, and IT teams are using. A successful phishing attack on a DevOps engineer can have a massive impact on the security posture of your cloud environments.

From there, you should map the relationships between identities and the systems they access. This is an important part of understanding your attack surface. Cloud-native application protection platforms (CNAPPs) are designed to help with this. Having a strong CNAPP platform gives the security team the ability to detect abnormal behavior around a particular identity and detect when configurations start to drift.

**Align Your Different Teams**

Once you have the identities and the relationships mapped out, you need to tie them to vulnerabilities and misconfigurations to determine where you are most vulnerable and start quantifying the applied risk. You can't create an effective remediation strategy without that.

But data and strategy will take you only so far. Teams tend to operate in silos, and each follows prioritization actions based on the specific software they are using, without communication with other teams or alignment on a holistic vision for minimizing risk. Because not every attack surface is the same, you need to structure the organization so that different skill sets can take mitigative action based on the variables specific to their environment.

When teams are coupled more closely, organizational risk drops. Let's say you have a cross-site scripting vulnerability in one of your Web applications. Wouldn't it make sense to prioritize any security or configuration issue associated with the infrastructure running that application? The inverse is also true. Does it not make more sense to address the vulnerability that is running in production or sitting on the Internet versus a vulnerability running in a dev environment with no chance of exploitation?

A large part of the reason security teams work in these silos is because the vendor landscape has kind of forced them to work this way. Until recently, there hasn't been a way to do the things I'm proposing here — at least not for anyone but the 1% of organizations that have vast security budgets and built in-house tools and teams.

To sum up, protecting identities — cloud and otherwise — requires adopting a mindset shift from compliance to a holistic security, applied risk approach that involves gaining visibility into your cloud infrastructure with CNAPP and aligning different teams on prioritizing remediation.

Securing Cloud Identities to Protect Assets and Minimize Risk

VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.

Sun Oct 15, 2023 by BloodyShell in  vulnerability, research, LeakIX  vulnerability, research, LeakIX

**Vulnerability research**

At LeakIX we analyse new vulnerabilities discovered by other researchers every day.

Our goal is to understand them, discover non-intrusive ways to detect them and provide our customers with a list of vulnerable assets.

While researching what others have already found is always an exciting challenge and provides valuable experience, it was time for us to go through the research and disclosure process first hand and get our first CVE on the board.

We decided to look for issues in critical software. It was natural for us to select the “Infrastructure Backup” category. Such software will hold an entire organisation’s data but also credentials to critical points of the network, including:

*   Servers
*   Hypervisors
*   Storage
*   Cloud accounts

**VinChin Backup**

VinChin Backup & Recovery is an **all-in-one backup solution for virtual infrastructures** supporting VMWare, KVM, Xen Server, Hyper-V, OpenStack and more. The product also supports AWS, Azure and other cloud providers as backup storage.

It is used by companies like Sony, Guizhou Power Grid, and while its main market is located in Asia, it has decent adoption on other continents and protects over 10,000 clients.

**CVE-2023-45499**

During our research we discovered an HTTP API exposed by VinChin Backup. This API can be accessed using hard-coded credentials.

The privileges granted are high since ACLs are bypassed for this authentication method.

The list of actions available from the API includes:

*   View/Edit/Add/Delete storage
*   View/Delete backups
*   View/Edit/Add/Delete jobs
*   View/Edit/Add/Delete cloud accounts
*   View/Edit/Add/Delete hypervisors
*   View/Edit/Add/Delete users
*   Query various information such as:
    *   Services status
    *   System information
    *   Licensing

The list is non-exhaustive.

**CVE-2023-45498**

While exploring the various functionalities exposed by the API a particular endpoint was found vulnerable to improper input sanitization. A specially crafted payload results in remote code execution allowing the attacker to execute code with the permissions of the web server.

**Demo**

**Affected versions**

During our routine scans we identified vulnerable products starting from 5.0 up until the last known version.

**IOC**

Any requests made to /api/ from an untrusted IP should be considered suspicious. The log can be found in /var/log/nginx/access.log.

**Mitigation**

At this point VinChin has not acknowledged the issue despite our multiple requests, we can only recommend to remove all exposed instances from untrusted network.

**Timeline**

    2023-09-22: LeakIX makes initial contact
    2023-09-25: VinChin request details
    2023-09-25: LeakIX request Safe harbour
    2023-09-26: No reply, LeakIX requests update
    2023-09-27: No reply, LeakIX sends PoC
    2023-09-29: No reply, LeakIX requests feedback
    2023-10-05: No reply, LeakIX requests feedback
    2023-10-10: No reply, LeakIX requests feedback from alternative email
    2023-10-11: No reply, LeakIX requests feedback from another alternative email
    2023-10-16: No reply, CVE reserved and vendor notified
    2023-10-18: No reply, LeakIX sent 7 day disclosure warning
    2023-10-24: LeakIX sends early warning to providers hosting VinChin on their network.
    2023-10-26: No reply, Publishing this advisory

CVE-2023-45499: CVE-2023-45498: RCE in VinChin Backup

**PRESS RELEASE**

**CAMBRIDGE, England****,** **Oct. 26, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security AI, today unveiled a new Darktrace/Cloud™ solution based on its unique Self-Learning AI. The new solution provides comprehensive visibility of cloud architectures, real-time cloud-native threat detection and response, and prioritized recommendations and actions to help security teams manage misconfigurations and strengthen compliance. When combined with insight from Darktrace solutions for network, email, apps, zero trust and endpoint, Darktrace/Cloud provides a deeper, contextualized understanding of the risks and threats currently facing an organization's digital estate.  

According to a recent report, "Gartner® anticipates over 99 percent of cloud breaches will be based on a customer error, account takeover or misconfiguration until 2027"\[1\]. Cloud environments are constantly evolving so security professionals need to increase the level of visibility while keeping up with changing compliance, risk and security requirements. The rise of cloud-native technologies including containers, Kubernetes and microservices also require new tools and techniques for detecting and responding to known and novel threats.

"Unlike static cloud security tools that provide snapshots of a specific point in time, Darktrace/Cloud is real-time, all the time. Our Self-Learning AI continuously learns patterns between workloads, assets, policy configurations and identities to provide a dynamic view of cloud architectures. We analyze the entire cloud stack from data to control plane, combining an understanding of architecture and network with a new flexible, scalable deployment model," said Jack Stockdale, Chief Technology Officer, Darktrace. "Our innovative approach to cloud security is built on more than a decade of leadership in Cyber AI that is already protecting our customers' critical business areas from network and email to operational technology."

Available today, the new capabilities in Darktrace/Cloud include:

*   **Comprehensive visibility and architecture modeling** for insights into the constantly changing nature of cloud environments. This visibility is constructed dynamically from configuration, network, users and identity and access management (IAM) data. Darktrace establishes patterns of life for cloud resources, identities, and services to understand who has access to what and how. This is critical for detecting anomalies and unknown threats.
*   **Universal attack path modeling** provides a dynamic view of where attackers may look to move next. Darktrace brings together real-time cloud data and a deep understanding of your cloud environment with a platform approach that provides insights about risks from other covered areas of the business (e.g., network, email) to highlight potential attack paths and prioritize important assets to secure.
*   **Unique real-time and cloud-native threat detection and response** that provides a dynamic view of known and novel threats within the cloud. Darktrace combines deep cloud attack path knowledge with real-time anomaly and threat detection through cloud-native autonomous response actions, such as detaching a policy from a user or removing a workload from a security group.
*   **Prioritized cloud posture management** that starts by examining cloud configurations against common compliance frameworks. Where misconfigurations are detected, Darktrace provides a prioritized view of what to fix first, based on a risk profile generated from security and business context. Guided steps can be provided to help teams proactively address these before they become a significant issue.
*   **Cost discovery** to provide a better understanding of cloud resource allocation. This helps teams contextualize their cloud resources according to security and business priorities.
*   **Communication and collaboration capabilities** to streamline workflows between security teams and DevOps teams. Tickets can be created on demand, teams can communicate directly via messaging platforms, and alerts and anomaly detections can be sent to Security Information & Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) products and the Darktrace Mobile app so they can be alerted on the go.
*   **Flexible deployment options** include an agentless deployment by default so organizations can be up and running in minutes. Teams can use the dynamic architectural view and risk context to decide where to deploy agents for enhanced real-time actions and deeper inspection.

Sykes Cottages, a cloud-native travel agency platform in the UK, has experienced significant growth in the last five years and has relied on the cloud to help them scale throughout this period.

"When it comes to cybersecurity, having visibility and an understanding of what you've got and your risks is critical. If I don't know it's there, I can't protect it," said Jonny Mattey, Head of Cybersecurity, Sykes Cottages. "Having a holistic, live view of our cloud environment enables us to work pragmatically and use AI to cut down management time so that we can address security risks and improve our resilience."

The new Darktrace/Cloud solution is now available on Amazon Web Services (AWS) through the AWS Marketplace, a curated digital catalog that makes it easy for customers to find, buy, deploy, and manage the third-party software they need to build solutions and run their business. Darktrace and AWS have been collaborating since 2017 to help organizations secure their AWS environments. Darktrace protects AWS environments for organizations around the world including Sunwest Bank and ProPhase Labs. Darktrace is an AWS Security Competency Partner and is part of the AWS ISV Accelerate program.

"Security is job zero at AWS," said Paddy Fitzpatrick, Director – Independent Software Vendors, UK & Ireland at Amazon Web Services. "As the threat landscape continues to evolve, the availability of AI-based tools like Darktrace/Cloud on the AWS Marketplace will help customers to gain increased visibility, and respond more effectively to security risks and threats."

Darktrace first extended its Cyber AI capabilities to cloud environments in 2016, applying its world class algorithms to granular network traffic. Darktrace/Cloud was recently named Cloud Security Product of the Year for Large Enterprises by Computing Magazine in its 2023 Cloud Excellence Awards.

Learn more about the new enhancements to Darktrace/Cloud by tuning into the launch event at 11:30am ET/4:30pm BST.

**ABOUT DARKTRACE**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, is on a mission to free the world of cyber disruption. Breakthrough innovations in our Cyber AI Research Center in Cambridge, UK have resulted in over 160 patents filed and research published to contribute to the cyber security community. Rather than study attacks, Darktrace's technology continuously learns and updates its knowledge of 'you' and applies that understanding to optimize your state of optimal cyber security. Darktrace is delivering the first ever Cyber AI Loop, fueling a continuous end-to-end security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace employs over 2,200 people around the world and protects approximately 8,900 customers globally from advanced cyber threats. Darktrace was named one of TIME magazine's 'Most Influential Companies' in 2021. To learn more, visit http://www.darktrace.com.

SOURCE Darktrace

Darktrace Unveils Cloud-Native Security Solution Using AI

Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS).
"The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter," the web infrastructure

Network Security / Cyber Attack

Cloudflare on Thursday said it mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks that exploited a recently disclosed flaw called HTTP/2 Rapid Reset, 89 of which exceeded 100 million requests per second (RPS).

"The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter," the web infrastructure and security company said in a report shared with The Hacker News. "Similarly, L3/4 DDoS attacks also increased by 14%."

The total number of HTTP DDoS attack requests in the quarter surged to 8.9 trillion, up from 5.4 trillion in Q2 2023 and 4.7 trillion in Q1 2023. The number of attack requests in Q4 2022 stood at 6.5 trillion.

HTTP/2 Rapid Reset (CVE-2023-44487) came to light earlier this month following an industry-wide coordinated disclosure that delved into DDoS attacks orchestrated by an unknown actor by leveraging the flaw to target various providers such as Amazon Web Services (AWS), Cloudflare, and Google Cloud.

Fastly, in a disclosure of its own on Wednesday, said it countered a similar attack that peaked at a volume of about 250 million RPS and a duration of approximately three minutes.

"Botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to x5,000 more force per botnet node," Cloudflare noted. "This allowed them to launch hyper-volumetric DDoS attacks with a small botnet ranging 5-20 thousand nodes alone."

Some of the top industries targeted by HTTP DDoS attacks include gaming, IT, cryptocurrency, computer software, and telecom, with the U.S., China, Brazil, Germany, and Indonesia accounting for the biggest sources of application layer (L7) DDoS attacks.

On the other hand, the U.S., Singapore, China, Vietnam, and Canada emerged as the main targets of HTTP DDoS attacks.

"For the second consecutive quarter, DNS-based DDoS attacks were the most common," the company said. "Almost 47% of all attacks were DNS-based. This represents a 44% increase compared to the previous quarter. SYN floods remain in second place, followed by RST floods, UDP floods, and Mirai attacks."

Another notable change is the decrease in ransom DDoS attacks, which Cloudflare said "is because threat actors have realized that organizations will not pay them."

The disclosure comes amid internet traffic fluctuations and a spike in DDoS attacks in the aftermath of the Israel-Hamas war, with Cloudflare repelling several attack attempts aimed at Israeli and Palestinian websites.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#aws