A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.
The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed Earth Baxia

Cyber Espionage / Malware

A suspected advanced persistent threat (APT) originating from China targeted a government organization in Taiwan, and possibly other countries in the Asia-Pacific (APAC) region, by exploiting a recently patched critical security flaw impacting OSGeo GeoServer GeoTools.

The intrusion activity, which was detected by Trend Micro in July 2024, has been attributed to a threat actor dubbed **Earth Baxia**.

"Based on the collected phishing emails, decoy documents, and observations from incidents, it appears that the targets are primarily government agencies, telecommunication businesses, and the energy industry in the Philippines, South Korea, Vietnam, Taiwan, and Thailand," researchers Ted Lee, Cyris Tseng, Pierre Lee, Sunny Lu, and Philip Chen said.

The discovery of lure documents in Simplified Chinese points to China being one of the affected countries as well, although the cybersecurity company said it does not have enough information to determine what sectors within the country have been singled out.

The multi-stage infection chain process leverages two different techniques, using spear-phishing emails and the exploitation of the GeoServer flaw (CVE-2024-36401, CVSS score: 9.8), to ultimately deliver Cobalt Strike and a previously unknown backdoor codenamed EAGLEDOOR, which allows for information gathering and payload delivery.

"The threat actor employs GrimResource and AppDomainManager injection to deploy additional payloads, aiming to lower the victim's guard," the researchers noted, adding the former method is used to download next-stage malware via a decoy MSC file dubbed RIPCOY embedded within a ZIP archive attachment.

It's worth mentioning here that Japanese cybersecurity company NTT Security Holdings recently detailed an activity cluster with links to APT41 that it said used the same two techniques to target Taiwan, the Philippines military, and Vietnamese energy organizations.

It's likely that these two intrusion sets are related, given the overlapping use of Cobalt Strike command-and-control (C2) domains that mimic Amazon Web Services, Microsoft Azure (e.g., "s3cloud-azure," "s2cloud-amazon," "s3bucket-azure," and "s3cloud-azure"), and Trend Micro itself ("trendmicrotech").

The end goal of the attacks is to deploy a custom variant of Cobalt Strike, which acts as a launchpad for the EAGLEDOOR backdoor ("Eagle.dll") via DLL side-loading.

The malware supports four methods to communicate with the C2 server over DNS, HTTP, TCP, and Telegram. While the first three protocols are used to transmit the victim status, the core functionality is realized through the Telegram Bot API to upload and download files, and execute additional payloads. The harvested data is exfiltrated via curl.exe.

"Earth Baxia, likely based in China, conducted a sophisticated campaign targeting government and energy sectors in multiple APAC countries," the researchers pointed out.

"They used advanced techniques like GeoServer exploitation, spear-phishing, and customized malware (Cobalt Strike and EAGLEDOOR) to infiltrate and exfiltrate data. The use of public cloud services for hosting malicious files and the multi-protocol support of EAGLEDOOR highlight the complexity and adaptability of their operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Exploit GeoServer Flaw to Target APAC Nations with EAGLEDOOR Malware

PRESS RELEASE

AUSTIN, Texas and Fal.Con 2024, Las Vegas – September 16, 2024 — CrowdStrike (NASDAQ: CRWD) today announced the launch of its second annual Cybersecurity Startup Accelerator with Amazon Web Services (AWS). NVIDIA also joins in supporting the Accelerator program, powering the next generation of artificial intelligence (AI) and cloud security startups. Targeting cybersecurity’s next market-defining disruptors across the U.S. and EMEA, AWS and CrowdStrike with NVIDIA through its Inception program, will provide mentorship, technical expertise, funding and go-to-market opportunities.  
Applications for the AWS and CrowdStrike Cybersecurity Startup Accelerator with NVIDIA are open from September 16, 2024 to January 10, 2025. Selected startups will be enrolled in a free eight-week program developed by AWS, CrowdStrike and NVIDIA that offers mentorship and guidance from industry experts and executives. Startups will also have access to top-tier global cybersecurity investors, enablement sessions, and up to $25,000 in AWS Activate credits, among other exclusive benefits.

At the end of the program, participants can present their innovations at an in-person Demo Day at the AWS Startup Loft in San Francisco, which will take place during the RSA Conference in April 2025. Winning presentations may be eligible to receive funding from the CrowdStrike Falcon® Fund. 

“CrowdStrike and AWS created the Cybersecurity Startup Accelerator as a formative, value creation experience for innovative startups to learn, create and grow. Since participating in the Accelerator, last year’s cohort participants raised over $150 million from leading global VCs,” said Daniel Bernard, chief business officer, CrowdStrike. “We’re proud to welcome NVIDIA as a supporter of the Accelerator program – bringing together market-leading cybersecurity, cloud and AI expertise to cultivate tomorrow’s great innovators.”

“For startups seeking to tackle the most pressing security challenges, the Cybersecurity Startup Accelerator provides the AI technologies, accelerated computing resources and technical expertise they need,” said Bartley Richardson, director of cybersecurity engineering at NVIDIA.

To apply, visit this website. Startups are encouraged to review the terms and conditions here.

You May Also Like

CrowdStrike Expands Cybersecurity Startup Accelerator With AWS and NVIDIA

PRESS RELEASE

SAN FRANCISCO, Sept. 18, 2024 /PRNewswire/ -- Abstract Security, building the future of AI-enabled security operations, today announced it has added support for deployments within Google Cloud Platform (GCP).

The support for GCP follows Abstract Security's existing support for AWS and Azure. Abstract enables multi-cloud deployments of its SOC platform, deploying multiple instances of Abstract Security around the world to support data localization requirements and eliminate data transfer costs. Additionally, Abstract supports transactions through both AWS and Azure marketplaces with GCP coming soon.

"Abstract's ability to offer customers a true multi-cloud offering with three different cloud platforms in AWS, Azure and now GCP is something we're very proud of for this growing startup," said Colby DeRodeff, co-founder and CEO of Abstract Security. "Because we deploy directly into our customers' cloud environment, we enable those customers to truly own their own data, which separates us from most of our competitors."

Abstract Security's SOC platform offers:

*   Seamless integration with local GCP services - Ensuring strong security coverage and visibility into GCP services.
    
*   Abstract Intel Gallery - As part of Abstract's data fabric, organizations can leverage no-code ETL to enrich events with real-time threat intelligence, enhancing detection accuracy and relevancy.
    
*   Real-time streaming threat detection - Security analytics are powered by AI, enabling enterprises to stay ahead of rapidly evolving cyber threats.
    
*   Compliance and data sovereignty - Providing a single search and reporting view across regional deployments, enabling compliance with data localization requirements.
    

Abstract has seen growing demand since emerging from stealth and announcing its Seed funding in March 2024. In April, Abstract announced the opening of its first Middle East office. In May, the company announced the addition of Christopher Key to its Board of Directors and was selected as a "Pioneering Cybersecurity Startup" winner, as part of the 2024 Global Infosec Awards.

About Abstract Security

Abstract Security, founded in 2023, has built a revolutionary platform equipped with an AI-powered assistant to better centralize the management of security analytics. Crafted by category creators and industry veterans known for redefining the cybersecurity landscape, Abstract transcends next-gen SIEM solutions by correlating data in real time between data streams. As a result, compliance and security data can be leveraged separately to increase detection effectiveness and lower costs – an approach that does not currently exist in the market.

The leadership team of Colby DeRodeff, Ryan Clough, Aaron Shelmire, Chris Camacho, and Stefan Zier bring a unique set of experiences and backgrounds in product development and company-building expertise, at companies such as ArcSight (acq. by HP), Mandiant (acq. by Google), Palo Alto Networks and Sumo Logic. For more information about the company, please visit https://www.abstract.security/ and follow the journey @Get\_Abstracted.

You May Also Like

Abstract Security Expands Multi-Cloud Security Operations

Ubuntu Security Notice 7021-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7021-1September 18, 2024linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15,linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15,linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-intel-iotg-5.15,linux-kvm, linux-nvidia, linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-azure: Linux kernel for Microsoft Azure Cloud systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-azure-5.15: Linux kernel for Microsoft Azure cloud systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-intel-iotg-5.15: Linux kernel for Intel IoT platformsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - BTRFS file system;  - F2FS file system;  - GFS2 file system;  - BPF subsystem;  - Netfilter;  - RxRPC session sockets;  - Integrity Measurement Architecture(IMA) framework;(CVE-2024-39496, CVE-2024-41009, CVE-2024-26677, CVE-2024-42160,CVE-2024-27012, CVE-2024-42228, CVE-2024-39494, CVE-2024-38570)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1053-gkeop   5.15.0-1053.60  linux-image-5.15.0-1063-ibm     5.15.0-1063.66  linux-image-5.15.0-1063-raspi   5.15.0-1063.66  linux-image-5.15.0-1065-intel-iotg  5.15.0-1065.71  linux-image-5.15.0-1065-nvidia  5.15.0-1065.66  linux-image-5.15.0-1065-nvidia-lowlatency  5.15.0-1065.66  linux-image-5.15.0-1067-gke     5.15.0-1067.73  linux-image-5.15.0-1067-kvm     5.15.0-1067.72  linux-image-5.15.0-1068-oracle  5.15.0-1068.74  linux-image-5.15.0-1069-gcp     5.15.0-1069.77  linux-image-5.15.0-1070-aws     5.15.0-1070.76  linux-image-5.15.0-1073-azure   5.15.0-1073.82  linux-image-5.15.0-122-generic  5.15.0-122.132  linux-image-5.15.0-122-generic-64k  5.15.0-122.132  linux-image-5.15.0-122-generic-lpae  5.15.0-122.132  linux-image-aws-lts-22.04       5.15.0.1070.70  linux-image-azure-lts-22.04     5.15.0.1073.71  linux-image-gcp-lts-22.04       5.15.0.1069.65  linux-image-generic             5.15.0.122.122  linux-image-generic-64k         5.15.0.122.122  linux-image-generic-lpae        5.15.0.122.122  linux-image-gke                 5.15.0.1067.66  linux-image-gke-5.15            5.15.0.1067.66  linux-image-gkeop               5.15.0.1053.52  linux-image-gkeop-5.15          5.15.0.1053.52  linux-image-ibm                 5.15.0.1063.59  linux-image-intel-iotg          5.15.0.1065.65  linux-image-kvm                 5.15.0.1067.63  linux-image-nvidia              5.15.0.1065.65  linux-image-nvidia-lowlatency   5.15.0.1065.65  linux-image-oracle-lts-22.04    5.15.0.1068.64  linux-image-raspi               5.15.0.1063.61  linux-image-raspi-nolpae        5.15.0.1063.61  linux-image-virtual             5.15.0.122.122Ubuntu 20.04 LTS  linux-image-5.15.0-1053-gkeop   5.15.0-1053.60~20.04.1  linux-image-5.15.0-1065-intel-iotg  5.15.0-1065.71~20.04.1  linux-image-5.15.0-1069-gcp     5.15.0-1069.77~20.04.1  linux-image-5.15.0-1070-aws     5.15.0-1070.76~20.04.1  linux-image-5.15.0-1073-azure   5.15.0-1073.82~20.04.1  linux-image-5.15.0-122-generic  5.15.0-122.132~20.04.1  linux-image-5.15.0-122-generic-64k  5.15.0-122.132~20.04.1  linux-image-5.15.0-122-generic-lpae  5.15.0-122.132~20.04.1  linux-image-aws                 5.15.0.1070.76~20.04.1  linux-image-azure               5.15.0.1073.82~20.04.1  linux-image-azure-cvm           5.15.0.1073.82~20.04.1  linux-image-gcp                 5.15.0.1069.77~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.122.132~20.04.1  linux-image-generic-hwe-20.04   5.15.0.122.132~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.122.132~20.04.1  linux-image-gkeop-5.15          5.15.0.1053.60~20.04.1  linux-image-intel               5.15.0.1065.71~20.04.1  linux-image-intel-iotg          5.15.0.1065.71~20.04.1  linux-image-oem-20.04           5.15.0.122.132~20.04.1  linux-image-oem-20.04b          5.15.0.122.132~20.04.1  linux-image-oem-20.04c          5.15.0.122.132~20.04.1  linux-image-oem-20.04d          5.15.0.122.132~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.122.132~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7021-1  CVE-2024-26677, CVE-2024-27012, CVE-2024-38570, CVE-2024-39494,  CVE-2024-39496, CVE-2024-41009, CVE-2024-42160, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-122.132  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1070.76  https://launchpad.net/ubuntu/+source/linux-azure/5.15.0-1073.82  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1069.77  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1067.73  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1053.60  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1063.66  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1065.71  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1067.72  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1065.66  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1068.74  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1063.66  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1070.76~20.04.1  https://launchpad.net/ubuntu/+source/linux-azure-5.15/5.15.0-1073.82~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1069.77~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1053.60~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-122.132~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1065.71~20.04.1

Ubuntu Security Notice USN-7021-1

Ubuntu Security Notice 7020-1 - Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system.

    ==========================================================================Ubuntu Security Notice USN-7020-1September 18, 2024linux, linux-aws, linux-gcp, linux-gke, linux-ibm, linux-lowlatency,linux-lowlatency-hwe-6.8, linux-nvidia, linux-nvidia-6.8,linux-nvidia-lowlatency, linux-oem-6.8, linux-oracle vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 24.04 LTS- Ubuntu 22.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-lowlatency: Linux low latency kernel- linux-nvidia: Linux kernel for NVIDIA systems- linux-nvidia-lowlatency: Linux low latency kernel for NVIDIA systems- linux-oem-6.8: Linux kernel for OEM systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-lowlatency-hwe-6.8: Linux low latency kernel- linux-nvidia-6.8: Linux kernel for NVIDIA systemsDetails:Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - GPU drivers;  - Network drivers;  - SCSI drivers;  - F2FS file system;  - BPF subsystem;  - IPv4 networking;(CVE-2024-42160, CVE-2024-42159, CVE-2024-42154, CVE-2024-41009,CVE-2024-42228, CVE-2024-42224)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 24.04 LTS  linux-image-6.8.0-1011-gke      6.8.0-1011.14  linux-image-6.8.0-1013-ibm      6.8.0-1013.13  linux-image-6.8.0-1013-oem      6.8.0-1013.13  linux-image-6.8.0-1013-oracle   6.8.0-1013.13  linux-image-6.8.0-1013-oracle-64k  6.8.0-1013.13  linux-image-6.8.0-1014-nvidia   6.8.0-1014.15  linux-image-6.8.0-1014-nvidia-64k  6.8.0-1014.15  linux-image-6.8.0-1014-nvidia-lowlatency  6.8.0-1014.15.1  linux-image-6.8.0-1014-nvidia-lowlatency-64k  6.8.0-1014.15.1  linux-image-6.8.0-1015-gcp      6.8.0-1015.17  linux-image-6.8.0-1016-aws      6.8.0-1016.17  linux-image-6.8.0-45-generic    6.8.0-45.45  linux-image-6.8.0-45-generic-64k  6.8.0-45.45  linux-image-6.8.0-45-lowlatency  6.8.0-45.45.1  linux-image-6.8.0-45-lowlatency-64k  6.8.0-45.45.1  linux-image-aws                 6.8.0-1016.17  linux-image-gcp                 6.8.0-1015.17  linux-image-generic             6.8.0-45.45  linux-image-generic-64k         6.8.0-45.45  linux-image-generic-64k-hwe-24.04  6.8.0-45.45  linux-image-generic-hwe-24.04   6.8.0-45.45  linux-image-generic-lpae        6.8.0-45.45  linux-image-gke                 6.8.0-1011.14  linux-image-ibm                 6.8.0-1013.13  linux-image-ibm-classic         6.8.0-1013.13  linux-image-ibm-lts-24.04       6.8.0-1013.13  linux-image-kvm                 6.8.0-45.45  linux-image-lowlatency          6.8.0-45.45.1  linux-image-lowlatency-64k      6.8.0-45.45.1  linux-image-nvidia              6.8.0-1014.15  linux-image-nvidia-64k          6.8.0-1014.15  linux-image-nvidia-lowlatency   6.8.0-1014.15.1  linux-image-nvidia-lowlatency-64k  6.8.0-1014.15.1  linux-image-oem-24.04           6.8.0-1013.13  linux-image-oem-24.04a          6.8.0-1013.13  linux-image-oracle              6.8.0-1013.13  linux-image-oracle-64k          6.8.0-1013.13  linux-image-virtual             6.8.0-45.45  linux-image-virtual-hwe-24.04   6.8.0-45.45Ubuntu 22.04 LTS  linux-image-6.8.0-1014-nvidia   6.8.0-1014.15~22.04.1  linux-image-6.8.0-1014-nvidia-64k  6.8.0-1014.15~22.04.1  linux-image-6.8.0-45-lowlatency  6.8.0-45.45.1~22.04.1  linux-image-6.8.0-45-lowlatency-64k  6.8.0-45.45.1~22.04.1  linux-image-lowlatency-64k-hwe-22.04  6.8.0-45.45.1~22.04.1  linux-image-lowlatency-hwe-22.04  6.8.0-45.45.1~22.04.1  linux-image-nvidia-6.8          6.8.0-1014.15~22.04.1  linux-image-nvidia-64k-6.8      6.8.0-1014.15~22.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7020-1  CVE-2024-41009, CVE-2024-42154, CVE-2024-42159, CVE-2024-42160,  CVE-2024-42224, CVE-2024-42228Package Information:  https://launchpad.net/ubuntu/+source/linux/6.8.0-45.45  https://launchpad.net/ubuntu/+source/linux-aws/6.8.0-1016.17  https://launchpad.net/ubuntu/+source/linux-gcp/6.8.0-1015.17  https://launchpad.net/ubuntu/+source/linux-gke/6.8.0-1011.14  https://launchpad.net/ubuntu/+source/linux-ibm/6.8.0-1013.13  https://launchpad.net/ubuntu/+source/linux-lowlatency/6.8.0-45.45.1  https://launchpad.net/ubuntu/+source/linux-nvidia/6.8.0-1014.15  https://launchpad.net/ubuntu/+source/linux-nvidia-lowlatency/6.8.0-1014.15.1  https://launchpad.net/ubuntu/+source/linux-oem-6.8/6.8.0-1013.13  https://launchpad.net/ubuntu/+source/linux-oracle/6.8.0-1013.13  https://launchpad.net/ubuntu/+source/linux-lowlatency-hwe-6.8/6.8.0-45.45.1~22.04.1  https://launchpad.net/ubuntu/+source/linux-nvidia-6.8/6.8.0-1014.15~22.04.1

Ubuntu Security Notice USN-7020-1

### Impact

When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage.

### Patches

This has been fixed in the 1.10.13 release of the `@backstage/plugin-techdocs-backend` package.

### References

If you have any questions or comments about this advisory:

Open an issue in the [Backstage repository](https://github.com/backstage/backstage)
Visit our Discord, linked to in [Backstage README](https://github.com/backstage/backstage)


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-45816

**@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability**

Moderate severity GitHub Reviewed Published Sep 17, 2024 in backstage/backstage

**Package**

npm @backstage/plugin-techdocs-backend (npm)

**Affected versions**

< 1.10.13

**Impact**

When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage.

**Patches**

This has been fixed in the 1.10.13 release of the @backstage/plugin-techdocs-backend package.

**References**

If you have any questions or comments about this advisory:

Open an issue in the Backstage repository  
Visit our Discord, linked to in Backstage README

**References**

*   GHSA-39v3-f278-vj3g

Published to the GitHub Advisory Database

Sep 17, 2024

GHSA-39v3-f278-vj3g: @backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability

In this case study, a CISO helps a B2B marketing automation company straighten out its manual compliance process by automating it.

Source: Moodboard Stock Photography via Alamy Stock Photo

Like many tech companies, Metadata.io built its B2B marketing automation business from the ground up, consistently adding key functions like personalization, prospect data enrichment, and creative micro-targeting strategies.

As it was growing, the company did its best to comply with critical attestations and standards like SOC 2 Type II and ISO 27001. But most of the focus was on building the company's core assets, not thinking of ways to streamline and automate compliance.

These frameworks aren't easy to comply with. Although they share about 60% of the same controls, they are completely different frameworks and require different processes.

The company did the best it could to comply with these controls with largely manual processes. All controls were written in spreadsheets, with no owners of specific controls and no way to ensure version control. Controls were stored in nested folders and Google Drive.

After a few years, it became clear that the compliance process simply wasn't working. To address the issue and shore up security in general, Metadata.io hired veteran CISO Raymond Taft.

**A Tangle of Manual Compliance**

"When I first got here, the company was just shy of about three months of its Series B fundraiser. It was still a very scrappy company," Taft says.

The first order of business was addressing the haphazard way Metadata.io was handling compliance. The current, largely manual system made it difficult to track compliance and ensure that controls were continuously monitored.

"Every single background check and confidentiality agreement had to be marked in a folder. It can take an enormous amount of time if you're continuously grabbing evidence for every one of those controls and putting them in these folders," Taft says. "It ends up being a nightmare to collect because you have to go back to that spreadsheet to, for example, collect evidence on specific need to things on specific days."

It was also labor-intensive, taking six people to do nothing but evidence collection. That's a lot of people when the total employee count is only 40.

Taft also discovered that the company was missing controls around background checks, performance reviews, and continuous monitoring of its cloud environment. Perhaps even more concerning was the haphazard way that data loss prevention, and security in general, was monitored and controlled.

"I knew within the first three months of working here that it would never scale as the company planned to grow to three or four times its current size," he says.

Without automation, Taft could see the writing on the wall. In addition to losing customer trust, the company would have had to continue spending a lot of money on evidence-gathering, and may have ended up outsourcing the entire function.

**Automating Compliance via Outsourcing**

Automating the compliance function was the only way Taft could see to gain control and ensure that controls were being consistently met. He didn't think it was a good idea to try to automate the function internally; not only was it not a core competency of the company, but it would incur a significant learning curve and take a significant amount of time.

Compliance automation is a good option for many enterprises, says Rik Turner, a cybersecurity analyst at Omdia.

"If your business spans multiple verticals and/or geographies, it's likely that you will be subject to multiple compliance requirements. This makes complying with them all a time- and resource-consuming undertaking, so automating your compliance activities represents significant potential savings," he says.

In addition, a typical human-driven compliance project is carried out on a monthly, quarterly, or even semi-annual basis, which means that it provides only a point-in-time view of compliance at the moment it was completed. An automated approach, on the other hand, holds the promise of continuous checking and alerting as soon as a change to the infrastructure or business processes risks slipping out of compliance, he adds.

Taft wanted a full-stack automation tool that would be able to configure policies, identify control failures or other issues, and quickly incorporate new controls. He also wanted to ensure that the solution could integrate with the stacks Metadata.io used most commonly. That included Jira, AWS, and GCP, along with its background check provider and HR platform.

"We knew if we could plug into those and continuously gather evidence, we could knock off more than 80% of our total evidence-gathering requirements for the year," he says.

There are plenty of tools that meet the requirements around continuous compliance, Turner says. More specifically, he notes that vertical and geographical breadth of coverage is key. But most importantly, he adds, potential buyers should check whether a tool that measures compliance stops at the alerting stage or can actually remediate situations when it detects that a change has caused the organization to slip out of compliance.

With these issues in mind, Taft settled on Drata for automated compliance monitoring. The tool automates evidence collection from all of its tooling, querying it every second of the day and reporting on status. It also communicates the state of Metadata.io's compliance program to auditors through a portal that also allows them to ask questions.

**Building on Good Results**

Since the implementation, Metadata.io's internal compliance team has been reduced to four people, even though the company has now grown to more than 100 employees. Taft says companies Metadata.io's size typically have compliance teams of 10 to 15.

The company also realized an unanticipated benefit: being able to fold some of its services into Drata via its trust center. Before, the company was paying $30,000 per year to upload its documentation to a trust center, where customers could access it. Drata's solution includes a trust center, saving the company that money.

That's just part of the cost savings. Taft says that all told, automated compliance has resulted in a 6x reduction in cost.

Time savings also has been substantial. For SOC 2 Type II and ISO 27001 compliance audits alone, for example, prep time went from six weeks to two weeks. Taft says that he recently met with the company's auditors for a total of five hours for the audit period. Last year that took four days.

With SOC 2 Part II and ISO 27001 fully automated and under control, Taft's next project is expanding into other compliance projects like ISO 27701, which is focused on data privacy, along with other frameworks.

The key to expanding, he says, is leveraging the automation tool's approach to control mappings and its ability to cross-map.

"There are dozens of frameworks, and they all share a little bit of DNA with each other," Taft explains. "The cross-mappings could be horrendous and could take months. For example, how does ISO 27701 relate to privacy for SOC 2?"

Drata's control and framework mapping enables users to click on a framework and see which controls apply to it. With that information, it's fairly simple to determine what's needed in terms of human resources to adopt the new framework, he says, and whether it makes sense for the business to move forward with it.

**About the Author**

Contributing Writer, Dark Reading

Karen D. Schwartz is a technology and business writer with more than 20 years of experience. She has written on a broad range of technology topics for publications including ITProToday, CIO, InformationWeek, GCN, FCW, FedTech, BizTech, eWeek, and Government Executive.

Compliance Automation Pays Off for a Growing Company

Ubuntu Security Notice 7007-1 - Chenyuan Yang discovered that the CEC driver driver in the Linux kernel contained a use-after-free vulnerability. A local attacker could use this to cause a denial of service or possibly execute arbitrary code. Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kernel did not properly check for the device to be enabled before writing. A local attacker could possibly use this to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-7007-1September 13, 2024linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke,linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm,linux-intel-iotg, linux-intel-iotg-5.15, linux-kvm, linux-nvidia,linux-oracle, linux-raspi vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in the Linux kernel.Software Description:- linux: Linux kernel- linux-aws: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp: Linux kernel for Google Cloud Platform (GCP) systems- linux-gke: Linux kernel for Google Container Engine (GKE) systems- linux-gkeop: Linux kernel for Google Container Engine (GKE) systems- linux-ibm: Linux kernel for IBM cloud systems- linux-intel-iotg: Linux kernel for Intel IoT platforms- linux-kvm: Linux kernel for cloud environments- linux-nvidia: Linux kernel for NVIDIA systems- linux-oracle: Linux kernel for Oracle Cloud systems- linux-raspi: Linux kernel for Raspberry Pi systems- linux-aws-5.15: Linux kernel for Amazon Web Services (AWS) systems- linux-gcp-5.15: Linux kernel for Google Cloud Platform (GCP) systems- linux-gkeop-5.15: Linux kernel for Google Container Engine (GKE) systems- linux-hwe-5.15: Linux hardware enablement (HWE) kernel- linux-intel-iotg-5.15: Linux kernel for Intel IoT platformsDetails:Chenyuan Yang discovered that the CEC driver driver in the Linux kernelcontained a use-after-free vulnerability. A local attacker could use thisto cause a denial of service (system crash) or possibly execute arbitrarycode. (CVE-2024-23848)Chenyuan Yang discovered that the USB Gadget subsystem in the Linux kerneldid not properly check for the device to be enabled before writing. A localattacker could possibly use this to cause a denial of service.(CVE-2024-25741)It was discovered that the JFS file system contained an out-of-bounds readvulnerability when printing xattr debug information. A local attacker coulduse this to cause a denial of service (system crash). (CVE-2024-40902)Several security issues were discovered in the Linux kernel.An attacker could possibly use these to compromise the system.This update corrects flaws in the following subsystems:  - ARM64 architecture;  - M68K architecture;  - MIPS architecture;  - PowerPC architecture;  - RISC-V architecture;  - x86 architecture;  - Block layer subsystem;  - Cryptographic API;  - Accessibility subsystem;  - ACPI drivers;  - Serial ATA and Parallel ATA drivers;  - Drivers core;  - Bluetooth drivers;  - Character device driver;  - CPU frequency scaling framework;  - Hardware crypto device drivers;  - Buffer Sharing and Synchronization framework;  - DMA engine subsystem;  - FPGA Framework;  - GPIO subsystem;  - GPU drivers;  - Greybus drivers;  - HID subsystem;  - HW tracing;  - I2C subsystem;  - IIO subsystem;  - InfiniBand drivers;  - Input Device (Mouse) drivers;  - Macintosh device drivers;  - Multiple devices driver;  - Media drivers;  - VMware VMCI Driver;  - Network drivers;  - Near Field Communication (NFC) drivers;  - NVME drivers;  - Pin controllers subsystem;  - PTP clock framework;  - S/390 drivers;  - SCSI drivers;  - SoundWire subsystem;  - Greybus lights staging drivers;  - Media staging drivers;  - Thermal drivers;  - TTY drivers;  - USB subsystem;  - DesignWare USB3 driver;  - Framebuffer layer;  - ACRN Hypervisor Service Module driver;  - eCrypt file system;  - File systems infrastructure;  - Ext4 file system;  - F2FS file system;  - JFFS2 file system;  - JFS file system;  - NILFS2 file system;  - NTFS3 file system;  - SMB network file system;  - IOMMU subsystem;  - Memory management;  - Netfilter;  - BPF subsystem;  - Kernel debugger infrastructure;  - DMA mapping infrastructure;  - IRQ subsystem;  - Tracing infrastructure;  - 9P file system network protocol;  - B.A.T.M.A.N. meshing protocol;  - CAN network layer;  - Ceph Core library;  - Networking core;  - IPv4 networking;  - IPv6 networking;  - IUCV driver;  - MAC80211 subsystem;  - Multipath TCP;  - NET/ROM layer;  - NFC subsystem;  - Open vSwitch;  - Network traffic control;  - TIPC protocol;  - TLS protocol;  - Unix domain sockets;  - Wireless networking;  - XFRM subsystem;  - ALSA framework;  - SoC Audio for Freescale CPUs drivers;  - Kirkwood ASoC drivers;(CVE-2024-40961, CVE-2024-38597, CVE-2024-39468, CVE-2024-36978,CVE-2024-42161, CVE-2024-38573, CVE-2024-40905, CVE-2024-42094,CVE-2024-36894, CVE-2024-40914, CVE-2024-40956, CVE-2024-42106,CVE-2024-38610, CVE-2024-39506, CVE-2024-42098, CVE-2024-42232,CVE-2024-38590, CVE-2024-39488, CVE-2024-42127, CVE-2024-41006,CVE-2024-42131, CVE-2024-41005, CVE-2024-40963, CVE-2024-38559,CVE-2024-42130, CVE-2024-37078, CVE-2024-42082, CVE-2024-40984,CVE-2024-38560, CVE-2024-42090, CVE-2024-33621, CVE-2024-40974,CVE-2024-42115, CVE-2024-40971, CVE-2024-40943, CVE-2024-38627,CVE-2024-38548, CVE-2024-40934, CVE-2024-38579, CVE-2024-38558,CVE-2024-39495, CVE-2023-52884, CVE-2024-42225, CVE-2024-38659,CVE-2024-40927, CVE-2024-40967, CVE-2024-38624, CVE-2024-38583,CVE-2024-41047, CVE-2024-38623, CVE-2024-39509, CVE-2024-36971,CVE-2024-42120, CVE-2024-38589, CVE-2024-36270, CVE-2024-42105,CVE-2024-36032, CVE-2024-42101, CVE-2024-40908, CVE-2024-42089,CVE-2024-39482, CVE-2024-38662, CVE-2024-41007, CVE-2024-38635,CVE-2023-52887, CVE-2024-40912, CVE-2024-41027, CVE-2024-38598,CVE-2024-38381, CVE-2024-39503, CVE-2024-39301, CVE-2024-40988,CVE-2024-41000, CVE-2024-39507, CVE-2024-35247, CVE-2024-39277,CVE-2024-42229, CVE-2024-42085, CVE-2024-35927, CVE-2024-42224,CVE-2024-38567, CVE-2024-42097, CVE-2024-41049, CVE-2024-39466,CVE-2024-40957, CVE-2024-40978, CVE-2024-42093, CVE-2024-40937,CVE-2024-41034, CVE-2024-41048, CVE-2024-39471, CVE-2024-39502,CVE-2024-38555, CVE-2024-40970, CVE-2024-36972, CVE-2024-40995,CVE-2024-42154, CVE-2024-40916, CVE-2024-39505, CVE-2024-39475,CVE-2024-38599, CVE-2024-38596, CVE-2024-39493, CVE-2024-42124,CVE-2024-38549, CVE-2024-42084, CVE-2024-40942, CVE-2024-42077,CVE-2024-42152, CVE-2024-40904, CVE-2024-31076, CVE-2024-40960,CVE-2024-41035, CVE-2024-40945, CVE-2024-38605, CVE-2024-42140,CVE-2024-41041, CVE-2024-36014, CVE-2024-38612, CVE-2024-41092,CVE-2024-38546, CVE-2024-40902, CVE-2024-42068, CVE-2024-42121,CVE-2024-42236, CVE-2024-34777, CVE-2024-39467, CVE-2024-42087,CVE-2024-39501, CVE-2024-40980, CVE-2024-38550, CVE-2024-42223,CVE-2024-38607, CVE-2024-42247, CVE-2024-41046, CVE-2024-42080,CVE-2024-40901, CVE-2024-38571, CVE-2024-39480, CVE-2024-42070,CVE-2024-41093, CVE-2024-42148, CVE-2024-38601, CVE-2024-39500,CVE-2024-41097, CVE-2024-38565, CVE-2024-38661, CVE-2024-38615,CVE-2024-41040, CVE-2024-34027, CVE-2024-37356, CVE-2024-42157,CVE-2024-40941, CVE-2024-38634, CVE-2024-41004, CVE-2024-38780,CVE-2024-38552, CVE-2024-39276, CVE-2024-38618, CVE-2024-38588,CVE-2024-42086, CVE-2024-41087, CVE-2024-38582, CVE-2024-40932,CVE-2024-39489, CVE-2024-40968, CVE-2024-42119, CVE-2024-42137,CVE-2024-40929, CVE-2024-38591, CVE-2024-36489, CVE-2022-48772,CVE-2024-42153, CVE-2024-40959, CVE-2024-40987, CVE-2024-36015,CVE-2024-41044, CVE-2024-41002, CVE-2024-42109, CVE-2024-38587,CVE-2024-36286, CVE-2024-41055, CVE-2024-39469, CVE-2024-39487,CVE-2024-38580, CVE-2024-38619, CVE-2024-38613, CVE-2024-42145,CVE-2024-41095, CVE-2024-40958, CVE-2024-40911, CVE-2024-42102,CVE-2024-33847, CVE-2024-36974, CVE-2024-40994, CVE-2024-38633,CVE-2024-40981, CVE-2024-40983, CVE-2024-42096, CVE-2024-42104,CVE-2024-42092, CVE-2024-40954, CVE-2024-38637, CVE-2024-42240,CVE-2024-38621, CVE-2024-38578, CVE-2024-38547, CVE-2024-39490,CVE-2024-42076, CVE-2024-42244, CVE-2024-39499, CVE-2024-38586,CVE-2024-41089, CVE-2024-40976, CVE-2024-42095, CVE-2024-40931,CVE-2024-40990)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS  linux-image-5.15.0-1052-gkeop   5.15.0-1052.59  linux-image-5.15.0-1062-ibm     5.15.0-1062.65  linux-image-5.15.0-1062-raspi   5.15.0-1062.65  linux-image-5.15.0-1064-intel-iotg  5.15.0-1064.70  linux-image-5.15.0-1064-nvidia  5.15.0-1064.65  linux-image-5.15.0-1064-nvidia-lowlatency  5.15.0-1064.65  linux-image-5.15.0-1066-gke     5.15.0-1066.72  linux-image-5.15.0-1066-kvm     5.15.0-1066.71  linux-image-5.15.0-1067-oracle  5.15.0-1067.73  linux-image-5.15.0-1068-gcp     5.15.0-1068.76  linux-image-5.15.0-1069-aws     5.15.0-1069.75  linux-image-5.15.0-121-generic  5.15.0-121.131  linux-image-5.15.0-121-generic-64k  5.15.0-121.131  linux-image-5.15.0-121-generic-lpae  5.15.0-121.131  linux-image-aws-lts-22.04       5.15.0.1069.69  linux-image-gcp-lts-22.04       5.15.0.1068.64  linux-image-generic             5.15.0.121.121  linux-image-generic-64k         5.15.0.121.121  linux-image-generic-lpae        5.15.0.121.121  linux-image-gke                 5.15.0.1066.65  linux-image-gke-5.15            5.15.0.1066.65  linux-image-gkeop               5.15.0.1052.51  linux-image-gkeop-5.15          5.15.0.1052.51  linux-image-ibm                 5.15.0.1062.58  linux-image-intel-iotg          5.15.0.1064.64  linux-image-kvm                 5.15.0.1066.62  linux-image-nvidia              5.15.0.1064.64  linux-image-nvidia-lowlatency   5.15.0.1064.64  linux-image-oracle-lts-22.04    5.15.0.1067.63  linux-image-raspi               5.15.0.1062.60  linux-image-raspi-nolpae        5.15.0.1062.60  linux-image-virtual             5.15.0.121.121Ubuntu 20.04 LTS  linux-image-5.15.0-1052-gkeop   5.15.0-1052.59~20.04.1  linux-image-5.15.0-1064-intel-iotg  5.15.0-1064.70~20.04.1+1  linux-image-5.15.0-1068-gcp     5.15.0-1068.76~20.04.1  linux-image-5.15.0-1069-aws     5.15.0-1069.75~20.04.1  linux-image-5.15.0-121-generic  5.15.0-121.131~20.04.1  linux-image-5.15.0-121-generic-64k  5.15.0-121.131~20.04.1  linux-image-5.15.0-121-generic-lpae  5.15.0-121.131~20.04.1  linux-image-aws                 5.15.0.1069.75~20.04.1  linux-image-gcp                 5.15.0.1068.76~20.04.1  linux-image-generic-64k-hwe-20.04  5.15.0.121.131~20.04.1  linux-image-generic-hwe-20.04   5.15.0.121.131~20.04.1  linux-image-generic-lpae-hwe-20.04  5.15.0.121.131~20.04.1  linux-image-gkeop-5.15          5.15.0.1052.59~20.04.1  linux-image-intel               5.15.0.1064.70~20.04.1  linux-image-intel-iotg          5.15.0.1064.70~20.04.1  linux-image-oem-20.04           5.15.0.121.131~20.04.1  linux-image-oem-20.04b          5.15.0.121.131~20.04.1  linux-image-oem-20.04c          5.15.0.121.131~20.04.1  linux-image-oem-20.04d          5.15.0.121.131~20.04.1  linux-image-virtual-hwe-20.04   5.15.0.121.131~20.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.ATTENTION: Due to an unavoidable ABI change the kernel updates havebeen given a new version number, which requires you to recompile andreinstall all third party kernel modules you might have installed.Unless you manually uninstalled the standard kernel metapackages(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,linux-powerpc), a standard system upgrade will automatically performthis as well.References:  https://ubuntu.com/security/notices/USN-7007-1  CVE-2022-48772, CVE-2023-52884, CVE-2023-52887, CVE-2024-23848,  CVE-2024-25741, CVE-2024-31076, CVE-2024-33621, CVE-2024-33847,  CVE-2024-34027, CVE-2024-34777, CVE-2024-35247, CVE-2024-35927,  CVE-2024-36014, CVE-2024-36015, CVE-2024-36032, CVE-2024-36270,  CVE-2024-36286, CVE-2024-36489, CVE-2024-36894, CVE-2024-36971,  CVE-2024-36972, CVE-2024-36974, CVE-2024-36978, CVE-2024-37078,  CVE-2024-37356, CVE-2024-38381, CVE-2024-38546, CVE-2024-38547,  CVE-2024-38548, CVE-2024-38549, CVE-2024-38550, CVE-2024-38552,  CVE-2024-38555, CVE-2024-38558, CVE-2024-38559, CVE-2024-38560,  CVE-2024-38565, CVE-2024-38567, CVE-2024-38571, CVE-2024-38573,  CVE-2024-38578, CVE-2024-38579, CVE-2024-38580, CVE-2024-38582,  CVE-2024-38583, CVE-2024-38586, CVE-2024-38587, CVE-2024-38588,  CVE-2024-38589, CVE-2024-38590, CVE-2024-38591, CVE-2024-38596,  CVE-2024-38597, CVE-2024-38598, CVE-2024-38599, CVE-2024-38601,  CVE-2024-38605, CVE-2024-38607, CVE-2024-38610, CVE-2024-38612,  CVE-2024-38613, CVE-2024-38615, CVE-2024-38618, CVE-2024-38619,  CVE-2024-38621, CVE-2024-38623, CVE-2024-38624, CVE-2024-38627,  CVE-2024-38633, CVE-2024-38634, CVE-2024-38635, CVE-2024-38637,  CVE-2024-38659, CVE-2024-38661, CVE-2024-38662, CVE-2024-38780,  CVE-2024-39276, CVE-2024-39277, CVE-2024-39301, CVE-2024-39466,  CVE-2024-39467, CVE-2024-39468, CVE-2024-39469, CVE-2024-39471,  CVE-2024-39475, CVE-2024-39480, CVE-2024-39482, CVE-2024-39487,  CVE-2024-39488, CVE-2024-39489, CVE-2024-39490, CVE-2024-39493,  CVE-2024-39495, CVE-2024-39499, CVE-2024-39500, CVE-2024-39501,  CVE-2024-39502, CVE-2024-39503, CVE-2024-39505, CVE-2024-39506,  CVE-2024-39507, CVE-2024-39509, CVE-2024-40901, CVE-2024-40902,  CVE-2024-40904, CVE-2024-40905, CVE-2024-40908, CVE-2024-40911,  CVE-2024-40912, CVE-2024-40914, CVE-2024-40916, CVE-2024-40927,  CVE-2024-40929, CVE-2024-40931, CVE-2024-40932, CVE-2024-40934,  CVE-2024-40937, CVE-2024-40941, CVE-2024-40942, CVE-2024-40943,  CVE-2024-40945, CVE-2024-40954, CVE-2024-40956, CVE-2024-40957,  CVE-2024-40958, CVE-2024-40959, CVE-2024-40960, CVE-2024-40961,  CVE-2024-40963, CVE-2024-40967, CVE-2024-40968, CVE-2024-40970,  CVE-2024-40971, CVE-2024-40974, CVE-2024-40976, CVE-2024-40978,  CVE-2024-40980, CVE-2024-40981, CVE-2024-40983, CVE-2024-40984,  CVE-2024-40987, CVE-2024-40988, CVE-2024-40990, CVE-2024-40994,  CVE-2024-40995, CVE-2024-41000, CVE-2024-41002, CVE-2024-41004,  CVE-2024-41005, CVE-2024-41006, CVE-2024-41007, CVE-2024-41027,  CVE-2024-41034, CVE-2024-41035, CVE-2024-41040, CVE-2024-41041,  CVE-2024-41044, CVE-2024-41046, CVE-2024-41047, CVE-2024-41048,  CVE-2024-41049, CVE-2024-41055, CVE-2024-41087, CVE-2024-41089,  CVE-2024-41092, CVE-2024-41093, CVE-2024-41095, CVE-2024-41097,  CVE-2024-42068, CVE-2024-42070, CVE-2024-42076, CVE-2024-42077,  CVE-2024-42080, CVE-2024-42082, CVE-2024-42084, CVE-2024-42085,  CVE-2024-42086, CVE-2024-42087, CVE-2024-42089, CVE-2024-42090,  CVE-2024-42092, CVE-2024-42093, CVE-2024-42094, CVE-2024-42095,  CVE-2024-42096, CVE-2024-42097, CVE-2024-42098, CVE-2024-42101,  CVE-2024-42102, CVE-2024-42104, CVE-2024-42105, CVE-2024-42106,  CVE-2024-42109, CVE-2024-42115, CVE-2024-42119, CVE-2024-42120,  CVE-2024-42121, CVE-2024-42124, CVE-2024-42127, CVE-2024-42130,  CVE-2024-42131, CVE-2024-42137, CVE-2024-42140, CVE-2024-42145,  CVE-2024-42148, CVE-2024-42152, CVE-2024-42153, CVE-2024-42154,  CVE-2024-42157, CVE-2024-42161, CVE-2024-42223, CVE-2024-42224,  CVE-2024-42225, CVE-2024-42229, CVE-2024-42232, CVE-2024-42236,  CVE-2024-42240, CVE-2024-42244, CVE-2024-42247Package Information:  https://launchpad.net/ubuntu/+source/linux/5.15.0-121.131  https://launchpad.net/ubuntu/+source/linux-aws/5.15.0-1069.75  https://launchpad.net/ubuntu/+source/linux-gcp/5.15.0-1068.76  https://launchpad.net/ubuntu/+source/linux-gke/5.15.0-1066.72  https://launchpad.net/ubuntu/+source/linux-gkeop/5.15.0-1052.59  https://launchpad.net/ubuntu/+source/linux-ibm/5.15.0-1062.65  https://launchpad.net/ubuntu/+source/linux-intel-iotg/5.15.0-1064.70  https://launchpad.net/ubuntu/+source/linux-kvm/5.15.0-1066.71  https://launchpad.net/ubuntu/+source/linux-nvidia/5.15.0-1064.65  https://launchpad.net/ubuntu/+source/linux-oracle/5.15.0-1067.73  https://launchpad.net/ubuntu/+source/linux-raspi/5.15.0-1062.65  https://launchpad.net/ubuntu/+source/linux-aws-5.15/5.15.0-1069.75~20.04.1  https://launchpad.net/ubuntu/+source/linux-gcp-5.15/5.15.0-1068.76~20.04.1  https://launchpad.net/ubuntu/+source/linux-gkeop-5.15/5.15.0-1052.59~20.04.1  https://launchpad.net/ubuntu/+source/linux-hwe-5.15/5.15.0-121.131~20.04.1  https://launchpad.net/ubuntu/+source/linux-intel-iotg-5.15/5.15.0-1064.70~20.04.1

Ubuntu Security Notice USN-7007-1

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint…

A hacker claims to have stolen 440 GB of data from cybersecurity firm Fortinet, exploiting an Azure SharePoint vulnerability. The breach, dubbed “Fortileak,” was revealed on a forum with access credentials shared online.

A hacker using the alias “Fortibitch” has claimed responsibility for leaking 440 GB of data belonging to Fortinet, a prominent cybersecurity firm based in Sunnyvale, California. The hacker stated that the stolen data is now accessible for download via an Amazon S3 bucket, with details of the breach and access credentials shared on the popular underground forum, Breach Forum.

**The Breach: Fortileak**

Dubbed _Fortileak_ by the hacker, the breach allegedly originates from an exposure in Fortinet’s Azure SharePoint instance. In the forum post, the hacker pointed out recent acquisitions by Fortinet, including the Data Loss Prevention (DLP) firm Next DLP and the cloud security company Lacework. They then claimed that Fortinet’s Azure SharePoint had been compromised, allowing for the extraction of the substantial data cache.

The full scope of the compromised data remains unclear, though the hacker emphasized that the breach involves Fortinet’s cloud infrastructure. The hacker provided the following credentials for accessing the alleged stolen data:

Screenshot: Hackread.com

**Ransom Demands and Negotiation Breakdown**

In a further twist, the hacker claimed that Fortinet’s CEO, Ken Xie, walked away from ransom negotiations. In the forum post, the hacker ridiculed Xie, alleging that the CEO refused to engage, stating that he “would rather eat some p\*\*p than pay ransom.” The hacker also questioned why Fortinet had not filed an SEC 8-K form (PDF)—a document required by public companies to disclose major incidents.

The post also contained a mix of taunts and shout-outs to other individuals or groups, which seemed to further underline the hacker’s brash attitude toward the attack and its aftermath.

**Fortinet’s Response**

Hackread.com reached out to Fortinet for an official comment on the breach. A spokesperson for the company confirmed that an unauthorized individual had gained access to a limited number of files stored on a third-party cloud-based shared file drive. These files included data related to a “small” subset of Fortinet customers.

In their statement to Hackread.com, Fortinet reassured stakeholders that there has been no indication of any malicious activity affecting its customers. They emphasized that the company’s operations, products, and services have not been impacted by the breach. Fortinet stated that they have already communicated directly with the affected customers and are continuing to monitor the situation closely.

> _“An individual gained unauthorized access to a limited number of files stored on Fortinet’s instance of a third-party cloud-based shared file drive, which included limited data related to a small number of Fortinet customers, and we have communicated directly with customers as appropriate. To-date there is no indication that this incident has resulted in malicious activity affecting any customers. Fortinet’s operations, products, and services have not been impacted.”_
> 
> Fortinet Spokesperson

This is not the first time Fortinet has faced a cybersecurity incident. Last year, Chinese hackers were reported to be exploiting a zero-day vulnerability in the company’s products. In another instance, hackers were found exploiting a vulnerability in FortiOS, the operating system for Fortinet’s security appliances, to compromise organizations and customers.

Nevertheless, for now, the full extent of the breach remains under investigation, and it is unclear whether the alleged stolen data will be used maliciously or if the ransom negotiations will have any further developments. As more information emerges, both customers and cybersecurity professionals will be watching closely to assess the impact of this incident.

1.  **World’s Leading Cybersecurity Firm Kaspersky Hacked**
2.  **CISA and Fortinet Warns of New FortiOS Zero-Day Flaws**
3.  **X Account of Google Cybersecurity Firm Mandiant Hacked**
4.  **Cybersecurity Firm Hacks Itself, Finds AWS Credentials Leak**
5.  **Hackers dump plain-text login credentials of Fortinet VPN users**

Fortinet Confirms Limited Data Breach After Hacker Leaks 440 GB of Data

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

Source: Photo Spirit via Shutterstock

One of the world's most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against financial and insurance companies, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.

Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.

"Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote in a recent analysis. "The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals."

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.

**Cloud Services, SaaS in the Crosshairs**

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.

"The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection," he wrote.

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well software as a service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE "by deploying phishing pages that closely mimic single sign-on (SSO) portals," Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.

**Spinning a Complex Attack Web**

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive ransomware attacks on Caesars Palace and MGM Entertainment about a year later.

Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of RansomHub and Qilin earlier this year, after BlackCat/Alphv unceremoniously went dark in March, leaving affiliates in the lurch.

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and UK officials recently arrested a 17-year-old from the town of Walsall, UK, in July for his connection to the group.

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it's as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.

**Defense and Mitigation**

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.

Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for typosquatting domains. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.

"Proactively secure these domains to prevent phishing attacks and social engineering tactics," Büyükkaya advised.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#aws