This year, Congress only allocated $55 million in federal grant dollars to states for security and other election improvements.

Thursday, September 19, 2024 14:00

Last week, six Secretaries of State testified to U.S. Congress about the current state of election security ahead of November’s Presidential election. 

Some of the same topics came up as usual — disinformation campaigns, influence from foreign actors, and the physical protection of poll workers on election day. 

It’s good that these conversations are continuing after the various revelations that came out after the 2016 presidential election, and election security is an issue globally, especially this year when there are major elections taking place in hundreds of countries.  

As with many things in politics and life, though, there is still an issue of money. 

Talk of the importance of election security is positive, but at the end of the day, states and municipalities will need monetary and human resources to implement the appropriate defenses and protect everything from voting machines to online vote-tallying systems and social media disinformation campaigns.  

Arizona Secretary of State Adrian Fontes used his time in front of Congress to ask for additional funding, because his state has been unable to execute all their election security goals.  

“None of this is free and none of it is cheap,” he said. “Our operations, administration and security depend on intermittent, rare and never enough funding for the Help America Vote Act grants that we are occasionally given by Congress.” 

Additional federal funds became available for U.S. elections in 2017 after the Department of Homeland Security deemed election systems to be critical infrastructure. But this year, Congress only allocated $55 million in federal grant dollars to states for security and other improvements to elections. For comparison’s sake, presidential and Congressional candidates in the U.S. spent $14 billion on their election campaigns, more than double the amount from 2016. 

At the time, Republican lawmakers in the House voted to totally zero out the fund for the Help America Vote Act, or HAVA, grants, which have existed since 2002. 

One lobbyist even told the Stateline outlet earlier this year that many states were trying to stretch the money they do get from the HAVA program across multiple years for fear of a lack of funding in the coming election cycles.  

JP Martin, deputy communications director for the Arizona secretary of state, said in that same article that Arizona (a crucial swing state in most presidential elections) has had to put a hiring freeze in place because a lack of federal funding. 

So, talk, awareness and planning to secure elections are all positive things. But at the end of the day, all these technologies and solutions, and the people that provide them, cost money. 

**The one big thing **

Cisco Talos’ Vulnerability Research team discovered two vulnerabilities have been disclosed and fixed over the past few weeks. Talos discovered a time-of-check time-of-use vulnerability in Adobe Acrobat Reader, one of the most popular PDF readers currently available, and an information disclosure vulnerability in the Microsoft Windows AllJoyn API. 

**Why do I care? **

AllJoyn is a DCOM-like framework for creating method calls or sending one-way signals between applications on a distributed bus. It primarily is used in internet-of-things (IoT) devices to tell the devices to perform certain tasks, like turning lights on or off or reading the temperature of a space. TALOS-2024-1980 (CVE-2024-38257) could allow an adversary to view uninitialized memory on the targeted machine. Adobe Acrobat Reader, one of the most popular pieces of PDF reading software currently available, contains a time-of-check, use-after-free vulnerability that could trigger memory corruption, and eventually, arbitrary code execution. 

**So now what? **

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Top security headlines of the week **

**Experts and governments are still unpacking a wave of pager and handheld radio explosions in the Middle East.** The attacks appeared to target members of the armed group Hezbollah in Lebanon when hundreds of devices exploded simultaneously on Tuesday, killing multiple people. The international community has been left wondering if this was some type of cyber attack or intentional physical implants in the devices. Messages sent at the time of the attack appeared to come from Hezbollah leadership but instead triggered the explosions. Most analysts are assuming that this was a hardware supply chain attack, in which the pagers were tampered with somehow during manufacturing or while they were in transit. Supply chain attacks are normally carried out at the software level. So far, no one has taken credit for the attacks, though Hezbollah is blaming Israel, one of its chief antagonists. (Reuters, BBC) 

**Ransomware gangs are increasingly leveraging Microsoft Azure to steal victims’ information and store it.** New research findings indicate that groups like BianLian and Rhysida use Microsoft's Azure Storage Explorer and AzCopy to steal data from infiltrated networks, then store it in Azure Blob storage until it can be transferred to an attacker-controlled network. Because Azure is a popular and trusted service, corporate firewalls and security tools are unlikely to block it, making the data transfers more likely to pass undetected. Potential targets that use Azure are recommended to log out of the application after each use to prevent attackers from using the active session for file theft. (Bleeping Computer, modePUSH) 

**Health care facilities and medical devices continue to be top targets for ransomware actors, and industry leaders are calling on the U.S. federal government to do more to assist them.** This year, several massive health care providers across the globe have been affected by cyber attacks, forcing countless surgeries and appointments to be rescheduled and putting sensitive medical records at risk. Past victims include Change Healthcare, Kaiser Permanente and Ascension. One health care executive told NPR that their company was still trying to calculate the financial impact of the Change attack, which paused payments from insurance for months. They are only just now being paid out for services rendered in July. U.S. Sen. Ron Wyden, the chair of the Senate Finance Committee, recently publicly called on the Health and Human Services Department to revise its current approach to cybersecurity, because the current system “is woefully inadequate and has left the health care system vulnerable to criminals and foreign government hackers.” Other experts have said that HHS has traditionally focused on physical disasters like earthquakes, storms and power outages, and not enough on cyberspace. (NPR, Security Intelligence) 

**Can’t get enough Talos? **

*   Despite Russia warnings, Western critical infrastructure remains unprepared 
*   The Cybersecurity Cat-And-Mouse Game 
*   DragonRank Manipulates SEO Rankings To Direct Users To Malicious Sites 

**Upcoming events where you can find Talos**

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** b9ddbd1a4cec61e6b022a275d66312b5b676f9a0a9537a7708de9aa8ce34de59   
**MD5:** 3b100bdcd61bb1da816cd7eaf9ef13ba   
**Typical Filename:** vt-upload-C6In1   
**Claimed Product:** N/A    
**Detection Name:** Backdoor:KillAV-tpd  

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 70ff63cd695033f624a456a5c8511ce8312cffd8ac40492ffe5dc7ae18548668   
**MD5:** 49d35332a1c6fefae1d31a581a66ab46   
**Typical Filename:** 49d35332a1c6fefae1d31a581a66ab46.virus   
**Claimed Product:** N/A     
**Detection Name:** W32.Auto:70ff63.in03.Talos 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos

Talk of election security is good, but we still need more money to solve the problem

What happened to KnowBe4 also has happened to many other organizations, and it's still a risk for companies of all sizes due to a sophisticated network of government-sponsored fake employees.

Source: DD Images via Shutterstock

A postmortem on the accidental hiring of a North Korean threat actor at a security firm reveals a sophisticated, industrial-like network of fake IT workers carefully groomed to fool US companies into giving them employment for the financial gain of the North Korean government.

In July, security awareness training firm KnowBe4 was transparent in revealing how a software engineer the company hired turned out to be a North Korean threat actor who immediately began loading malware onto his company-issued workstation.

Though administrators managed to detect and shut down the malicious operation before any harm was done, the incident served as a wake-up call about the sophistication of a North Korean state-sponsored program that sends operatives posing as credible IT workers out into the workforce.

Within weeks of the company's public revelation, KnowBe4 heard from more than a dozen other organizations that had similar stories of either hiring or being solicited for work by North Korean actors, the company revealed in a white paper (PDF) released this week.

Companies from the size of Fortune 500 organizations to small businesses with only 12 employees accidentally hired North Korean fake employees, with organizations with largely remote workforces being at the highest risk.

Related:Dark Reading Confidential: Pen Test Arrests, Five Years Later

"It turns out that the North Korean fake employee problem is a complex, industrial, scaled nation-state operation, and it is likely that thousands of organizations around the world have or are now involved in accidentally hiring North Korean fake employees," Roger Grimes, KnowBe4 data-driven defense evangelist, wrote in the report.

**Anatomy of a State-Sponsored Fake Employee Program**

The fact that the fake worker scheme is much more widespread than initially believed and that the people taking part in them are "exceptionally skilled" are the greatest lessons learned from KnowBe4's experience, Erich Kron, security awareness advocate at KnowBe4, tells Dark Reading.

"The ability to pass background checks, combined with the willingness and ability to interview on several Zoom calls is indicative of just how polished their program is," he says. "They seem to have processes in place that work exceptionally well on organizations both large and small."

The program takes advantage of a cultural shift in employment among US organizations over the past several years that has made companies more susceptible to placing workers with malicious intent in legitimate positions, Kron says.

This shift is a combination of organizations embracing the remote-work model, and the modern interest in hiring people from around the globe based on their knowledge and abilities rather than geographical location, he says.

Related:FBI Leads Takedown of Chinese Botnet Impacting 200K Devices

"This is extremely challenging when many of the best candidates and people knowledgeable with cutting-edge technology are not US-born and may have strong accents that may have been a barrier to hiring in the past," Kron says. "Multicultural workforces are not only common in the modern business world but are critical if organizations wish to hire the top talent in their fields."

**A Look Behind the Curtain**

KnowBe4 learned much about how the various aspects of the North Korean program operate in the wake of the company's own incident. The company discovered that the chief goal of this program is financial gain, though operatives also to a lesser extent engage in cyber espionage and even corporate sabotage activities, once joining an organization.

Overall, there are four parts that are integral to making the fake employee scheme work: North Korean-based program leaders; North Korean employees and managers based in other countries; non-Korean scheme assisters that are usually based in the country where the job is located; and infrastructure to assist with accepting payments, generating fake identities or stealing real identities, creating fake employee websites and projects, giving references, money laundering, document forgery services, and other supporting activities.

Related:Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

The employees are often skilled IT workers and developers trained at North Korean universities, and are usually located in foreign countries, such as China, in shared living spaces and workspaces. They usually work in busy call-center-like spaces; in fact, organizations that interviewed or hired these fake employees often noted the noisy background, Grimes observed.

KnowBe4 described the employees ensnared in the program as themselves unfortunate victims of a type of human trafficking. They receive very little of the earned revenue, with most of it benefiting the North Korean government. Moreover, close family members stay back in North Korea "to be used as personal leverage to force the employee to toil long hours for very little wages," Grimes wrote.

**How to Spot a North Korean Fake Employee**

KnowBe4 offered substantial guidance for organizations during the hiring process to help them spot a North Korean threat actor before taking that person on board, as well offered after-hiring advice in case an operative makes it onto an IT team.

Some characteristics and behaviors in a candidate to look out for include the person being of Asian decent who is not highly skilled in English, though he or she claims to have always lived in the US. The person will be using a fake identity, a fake ID credential, and a fake work history that will all fail an secondary verification.

The candidate also will supply personal websites, profiles, or GitHub sites that seem overly basic, "often saying something and nothing at the same time, or you can find very similar sites and profiles," Grimes wrote. These sites and profiles also will have been posted only very recently and will have no Internet presence outside of the properties supplied by the candidate.

After hiring, organizations may detect unnecessary logins by the employee on the remote device provided by the company, from an IP address that doesn't match the claimed geographical location, or other unusual behavior. Employees also may work hours inconsistent with the time zone where they claim to be located.

Because the motivation for the threat actors is financial, another red flag after hiring is a request to be paid in unusual or strange payment schemes, including the demand for virtual currency.

**Protecting Your Organization**

If an organization suspects a person is a threat actor during the hiring process, it should be reported immediately to senior management for support in vetting the person's legitimacy. KnowBe4 also advised that organizations "threat model" their hiring process and make updates to mitigate the risk of hiring fake employees, such as sharing the warning signs for these actors with those in the direct hiring process.

Indeed, "reviewing hiring processes and reworking them around lessons learned from the experience has been critical" to KnowBe4's incident recovery, and "well worth the investment" to ensure the scenario doesn't repeat itself, Kron says.

If a company does suspect that one of its employees is a North Korean actor, KnowBe4 advised that any device supplied to the person by the company is immediately locked down to the bare minimum access, and monitored for unusual activity, malware, log modifications, or unexpected language changes. The company also should take further steps to monitor employee activity and, of course, remove the person from the job if suspicions prove true.

In retrospect, KnowBe4 has learned that even though it already had a strong security culture with many controls in place that allowed the company to mitigate the situation quickly, "there is always room for improvement," Kron says.

"Having been through this has allowed us to become even more secure than we were previously," he says, "and by sharing the lessons we learned, we hope it will help others."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Security Firm's North Korean Hacker Hire Not an Isolated Incident

Despite security updates to protect data, 45% of total enterprise instances of the cloud-based IT management platform leaked PII, internal system details, and active credentials over the past year.

Source: Rafa Press via Shutterstock

One-thousand instances of enterprise knowledge bases (KBs) hosted by ServiceNow were found to be exposing sensitive corporate data over the past year, despite improvements in data protection that the company put in place last year to avoid such security issues.

Based on security research conducted by software-as-a-service (SaaS) security firm AppOmni, nearly 45% of total enterprise instances of ServiceNow KBs leak sensitive data, including personally identifiable information (PII), internal system details, and active credentials/tokens to live production systems.

AppOmni chief of SaaS security research Aaron Costello in an analysis published on Sept. 17 attributed the security holes to "outdated configurations and misconfigured access controls in KBs," likely indicating "a systematic misunderstanding of KB access controls or possibly the accidental replication of at least one instance's poor controls to another through cloning," he wrote.

In fact, in many of the cases, organizations with more than one instance of ServiceNow had consistently misconfigured KB access controls across each one, the researchers found.

ServiceNow is a cloud-based IT service management platform. Last year, the company introduced security updates to its platform to prevent unauthenticated users from getting access to data, including default enhancements to access control lists (ACLs). However, the improvements didn't seem to have a great impact on its KBs, a "treasure trove of sensitive internal data" not meant to be seen by those outside of the organization, Costello noted.

**Why Leaks Despite Security Improvements?**

AppOmni revealed its findings to ServiceNow, which worked with its customers to evaluate the instances of customer data leaks and "appropriately configure the accessibility of KB articles," ServiceNow CISO Ben De Bont said in a statement published with AppOmni's analysis.

"We are committed to protecting our customers' data, and security researchers are important partners in our ongoing efforts to improve the security of our products," De Bont said. He thanked Costello and AppOmni not only for identifying the security gap, but also delaying publication of their findings until ServiceNow could coordinate mitigations with customers.

As mentioned, ServiceNow made two key changes to its data protections last year in an effort to improve the security of data hosted on its platform. One was to add properties to prevent select widgets from granting unauthenticated users access to data unless explicitly set to do so, while the second was a new feature called Security Attributes, which is applied to most ACLs by default. It includes specific verifications to ensure unauthenticated users are not allowed access to data.

These updates did not protect data in KBs for two reasons, Costello noted. One is that public widgets that can be used to access the content of KB articles did not receive the update, he wrote. The second reason is that the majority of KBs are secured using a feature called User Criteria as opposed to ACLs, "rendering the addition of the 'UserIsAuthenticated' Security Attribute redundant since it is an ACL-exclusive feature," Costello noted.

Though this may explain the issues found with ServiceNow's KB exposure, it doesn't necessarily explain why organizations in general struggle to lock down KBs. What Costello found in his research is that most enterprise instances — or 60% of the cases he examined — retain an insecure KB security property to "allow public access by default," Costello said.

Moreover, many administrators are unaware that there are various criteria that grant access to unauthenticated users in KB configurations, allowing "external users to slip through the cracks and be granted access," Costello wrote.

**How to Mitigate KB Data Exposure**

Indeed, ServiceNow isn't the only hosting provider to have issues with data leakage from KBs, notes Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. Microsoft, too, experienced a similar issue with leaking client data, "including complete memory dumps, exposed in help desk-type data," he says.

However, pointing fingers at SaaS providers when security issues like KB data leaks arise isn't going to help combat the problem, and organizations also need to take responsibility for the security of their own KBs.

"The reality is that we are all learning how to best secure our data in this world of hyper-connectivity and always online accessible content," he says. "Instead of blaming the vendor, let's use this additional instance of the type of problem to examine our own policies and processes."

Costello suggested ways organizations can do that, including running regular diagnostics on KB access controls to keep security configurations updated, and using business rules to deny unauthenticated access to KB content by default.

They also should be aware of the relevant security properties of KBs, which act as important security guardrails affecting how access control is dictated when both internal and external users attempt to access data, he said.

Keeping in contact with ServiceNow (as well as other SaaS providers that are responsible for hosting sensitive corporate data), and ensuring security updates and efforts are up-to-date can help prevent data exposure, Costello added.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Thousands of ServiceNow KB Instances Expose Sensitive Corporate Data

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).
The sophisticated botnet, dubbed Raptor Train by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020,

Cybersecurity researchers have uncovered a never-before-seen botnet comprising an army of small office/home office (SOHO) and IoT devices that are likely operated by a Chinese nation-state threat actor called Flax Typhoon (aka Ethereal Panda or RedJuliett).

The sophisticated botnet, dubbed **Raptor Train** by Lumen's Black Lotus Labs, is believed to have been operational since at least May 2020, hitting a peak of 60,000 actively compromised devices in June 2023.

"Since that time, there have been more than 200,000 SOHO routers, NVR/DVR devices, network attached storage (NAS) servers, and IP cameras; all conscripted into the Raptor Train botnet, making it one of the largest Chinese state-sponsored IoT botnets discovered to-date," the cybersecurity company said in a 81-page report shared with The Hacker News.

The infrastructure powering the botnet is estimated to have ensnared hundreds of thousands of devices since its formation, with the network powered by a three-tiered architecture consisting of the following -

*   Tier 1: Compromised SOHO/IoT devices
*   Tier 2: Exploitation servers, payload servers, and command-and-control (C2) servers
*   Tier 3: Centralized management nodes and a cross-platform Electron application front-end referred to as Sparrow (aka Node Comprehensive Control Tool, or NCCT)

The way it works is, that bot tasks are initiated from Tier 3 "Sparrow" management nodes, which are then routed through the appropriate Tier 2 C2 servers, and subsequently sent to the bots themselves in Tier 1, which makes up a huge chunk of the botnet.

Some of the devices targeted include routers, IP cameras, DVRs, and NAS from various manufacturers such as ActionTec, ASUS, DrayTek, Fujitsu, Hikvision, Mikrotik, Mobotix, Panasonic, QNAP, Ruckus Wireless, Shenzhen TVT, Synology, Tenda, TOTOLINK, TP-LINK, and Zyxel.

A majority of the Tier 1 nodes have been geolocated to the U.S., Taiwan, Vietnam, Brazil, Hong Kong, and Turkey. Each of these nodes has an average lifespan of 17.44 days, indicating the threat actor's ability to reinfect the devices at will.

"In most cases, the operators did not build in a persistence mechanism that survives through a reboot," Lumen noted.

"The confidence in re-exploitability comes from the combination of a vast array of exploits available for a wide range of vulnerable SOHO and IoT devices and an enormous number of vulnerable devices on the Internet, giving Raptor Train somewhat of an 'inherent' persistence."

The nodes are infected by an in-memory implant tracked as Nosedive, a custom variant of the Mirai botnet, via Tier 2 payload servers explicitly set up for this purpose. The ELF binary comes with capabilities to execute commands, upload and download files, and mount DDoS attacks.

Tier 2 nodes, on the other hand, are rotated about every 75 days and are primarily based in the U.S., Singapore, the U.K., Japan, and South Korea. The number C2 nodes has increased from approximately 1-5 between 2020 and 2022 to no less than 60 between June 2024 and August 2024.

These nodes are flexible in that they also act as exploitation servers to co-opt new devices into the botnet, payload servers, and even facilitate reconnaissance of targeted entities.

At least four different campaigns have been linked to the ever-evolving Raptor Train botnet since mid-2020, each of which are distinguished by the root domains used and the devices targeted -

*   Crossbill (from May 2020 to April 2022) - use of the C2 root domain k3121.com and associated subdomains
*   Finch (from July 2022 to June 2023) - use of the C2 root domain b2047.com and associated C2 subdomains
*   Canary (from May 2023 to August 2023) - use of the C2 root domain b2047.com and associated C2 subdomains, while relying on multi-stage droppers
*   Oriole (from June 2023 to September 2024) - use of the C2 root domain w8510.com and associated C2 subdomains

The Canary campaign, which heavily targeted ActionTec PK5000 modems, Hikvision IP cameras, Shenzhen TVT NVRs, and ASUS routers, is notable for employing a multi-layered infection chain of its own to download a first-stage bash script, which connects to a Tier 2 payload server to retrieve Nosedive and a second-stage bash script.

The new bash script, in turn, attempts to download and execute a third-stage bash script from the payload server every 60 minutes.

"In fact, the w8510.com C2 domain for \[the Oriole\] campaign became so prominent amongst compromised IoT devices, that by June 3, 2024, it was included in the Cisco Umbrella domain rankings," Lumen said.

"By at least August 7, 2024, it was also included in Cloudflare Radar's top 1 million domains. This is a concerning feat because domains that are in these popularity lists often circumvent security tools via domain whitelisting, enabling them to grow and maintain access and further avoid detection."

No DDoS attacks emanating from the botnet have been detected to date, although evidence shows that it has been weaponized to target U.S. and Taiwanese entities in the military, government, higher education, telecommunications, defense industrial base (DIB) and information technology (IT) sectors.

What's more, bots entangled within Raptor Train have likely carried out possible exploitation attempts against Atlassian Confluence servers and Ivanti Connect Secure (ICS) appliances in the same verticals, suggesting widespread scanning efforts.

The links to Flax Typhoon – a hacking crew with a track record of targeting entities in Taiwan, Southeast Asia, North America, and Africa – stem from overlaps in the victimology footprint, Chinese language use, and other tactical similarities.

"This is a robust, enterprise-grade control system used to manage upwards of 60 C2 servers and their infected nodes at any given time," Lumen said.

"This service enables an entire suite of activities, including scalable exploitation of bots, vulnerability and exploit management, remote management of C2 infrastructure, file uploads and downloads, remote command execution, and the ability to tailor IoT-based distributed denial of service (DDoS) attacks at-scale."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New "Raptor Train" IoT Botnet Compromises Over 200,000 Devices Worldwide

Apple Security Advisory 09-16-2024-10 - macOS Ventura 13.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-10 macOS Ventura 13.7

macOS Ventura 13.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121234.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive user information  
Description: The issue was addressed with improved checks.  
CVE-2024-44129

App Intents  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppKit  
Available for: macOS Ventura  
Impact: An unprivileged app may be able to log keystrokes in other apps  
including those using secure input mode  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27886: Stephan Casas, an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40814: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

Automator  
Available for: macOS Ventura  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Ventura  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Ventura  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Ventura  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Shortcuts  
Available for: macOS Ventura  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Ventura 13.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboy2sACgkQX+5d1TXa  
IvoOmhAA1kPpqqhEBRbskSU4pFIfX+JY/MyIrnI+6pNgMk3CLhQ5SSx0aFS2tg/c  
We70hoiTA8eWMvRkYr8KYNriNstqCivg7iq84Gv4/ycJ9Hx4Zwj6pZh5If1H8y+Q  
3NVsvLgnmvnAb6W7MvpXtgma47vA5xRe2oefCNe6QbcC2qnQ2xaspBZtH805IkAi  
WznXdr7UXmjJyfjlgp2FifyiLYQoPXPGFOLKkBURDCxaH4SJidgvzxerU+B+1ju9  
dqW29eQwTjG+qhXncTuxfUSuQ5s7g5XfVqfvcTQihUk+ZjWaMYOaUT2UYlAgDfg5  
Mq35kP/Hvh8zmf+Ryufl3D+qfKpyVUUJUKu+kEMbOIoIMkCzM4F0G30czaKiGCA+  
tJCEtsY/oxcbEcy8DLQbesPCv5Hf1Gv2fMkP3p/6CAYqXQ1mXQF0Vm2erKRqS+yD  
N2+M+r/GFzvK4i9bf6j10kDgv9PRxPs+pH9zuU85cwhT+jZzr2dkvTC9p+mI+5CJ  
AZ7ZMgTLbXDw2M4d4e6mEV3XbJ5ebNqQv9t0Hfbg3pf8YVEeAO0casIPopLK6fqi  
uS7gn/3PL9C1HS2gqlekYuwiP0DSleKk9qCDUVVfmAAxTA1vHKvtvlRBO0ykN7HI  
NmX+8AuFy8jnZRmZWXIbav1/EdWYg7e5SLCD+pemYLcMYSoSNXg=  
=YxVI  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-16-2024-10

Apple Security Advisory 09-16-2024-9 - macOS Sonoma 14.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-9 macOS Sonoma 14.7

macOS Sonoma 14.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121247.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved permissions logic.  
CVE-2024-44153: Mickey Jin (@patch1t)

App Intents  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted video file may lead to  
unexpected app termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-40846: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative  
CVE-2024-40845: Pwn2car working with Trend Micro Zero Day Initiative

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: A memory initialization issue was addressed with improved  
memory handling.  
CVE-2024-44154: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

AppleVA  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted video file may lead to  
unexpected app termination  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2024-40841: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access protected files within an App  
Sandbox container  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44135: Mickey Jin (@patch1t)

Automator  
Available for: macOS Sonoma  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Sonoma  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-27880: Junsung Lee

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Sonoma  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Sonoma  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Sonoma  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Sonoma  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Sandbox  
Available for: macOS Sonoma  
Impact: A malicious application may be able to leak sensitive user  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44125: Zhongquan Li (@Guluisacat)

Security Initialization  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito  
(@pvieito), an anonymous researcher

Shortcuts  
Available for: macOS Sonoma  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Sonoma  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

sudo  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A logic issue was addressed with improved checks.  
CVE-2024-40860: Arsenii Kostromin (0x3c3e)

System Settings  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Sonoma 14.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboywEACgkQX+5d1TXa  
IvrDjxAA2tgRLOOTvFpZrVW/HEBxwCFUn7UkzXyfgUTuqntjSvmsc/pyVmPDpnOM  
UnLhZ4d3B6v44MSelhxSbomtGkggQfYAvcNmlPDk+yMMS0K5yRBJ3dobEt4e53Wj  
9DQl2cQfHxop3uaLRFRTRy5Wk46xIZcsPS3Obb0kLAZpnzD1K2UQ5tIgEVF2ETqi  
SaRlrjqsgiauG/qZ8pzJjQSB1/iNBJCf4TBMBmHHJ91zAVOiYxvVcIAcBl1cBK4m  
UU6Z0vF1NmNCTAu/8KPP0Y6AD5tM7ZrkotU1yTP8uey4r3Ec8XrZqzhTH05sMI5V  
Xt98UeRNl2EJQAJR2Wjfsa2u255SvJ9VJpOGpTff9npsP5c6a7fup2mcKSVmCJHG  
FxFoU9WC2Lx2fsb7kBZXx5y4+/lwKBh8gQBkqOB4vttUZIYwp/rwXJtBvwkSb3E+  
2MTYly0SAAAbwrGoImKsskbiOxB+Ebry2cZ4Rg8rKKwQIfpjpgCb2U97Ue1zCU/S  
lHCObpyD0HtDD13zYw3NXfbrcWS195WhLdgtVl9XJz90pQQwdcINzubGhILmabpl  
Q+QXoSuKNi0ooy9qO8yEmQdzF0swD/FZMqTmF6FFtFby4NpY6ooapHHyhJOGeqSn  
/Poj2T/Ay/xaX7VL2fUPU9n0KTNtp+HgvgpzMX31HpBNXo/96Eo=  
=YUrh  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-16-2024-9

Attackers could have exploited a dependency confusion vulnerability affecting various Google Cloud services to execute a sprawling supply chain attack via just one malicious Python code package.

Source: Aleksia via Alamy Stock Photo

Google has patched a flaw in its Google Cloud Platform (GCP) that attackers could have exploited to execute a supply chain attack on millions of customer cloud servers, simply by deploying a single malicious code package.

Researchers from Tenable discovered the remote code execution (RCE) vulnerability, dubbed "CloudImposer," that attackers could have used to hijack an internal software dependency affecting GCP services, they revealed in analysis published Sept. 16.

Specifically, the flaw was found in GCP's Cloud Composer service for orchestrating software pipelines, but it also affected the Google services App Engine and Cloud Function. The flaw created a scenario called a dependency confusion, a technique discovered several years ago but widely misunderstood even by cloud platform providers, according to Tenable.

A dependency confusion attack, first discovered by security researcher Alex Birsan in 2021, starts when an attacker creates a malicious software package, gives it the same name as a legitimate internal package, and publishes it to a public repository.

"When a developer's system or build process mistakenly pulls the malicious package instead of the intended internal one, the attacker gains access to the system," Tenable senior security researcher Liv Matan explained in the analysis. "This attack exploits the trust developers place in package management systems and can lead to unauthorized code execution or data breaches."

He added: "There’s a surprising and concerning lack of awareness about it and about how to prevent \[dependency confusion\], even among leading tech vendors like Google. And unfortunately, this type of dependency can be exploited to execute supply chain attacks in the cloud that "are exponentially more harmful than on-premises."

"For example, one malicious package in a cloud service can be deployed to — and harm — millions of users," Matan observed. In essence, then, one single faulty command in GCP could potentially have created a ripple affect across myriad cloud deployments, giving attackers access to customers' enterprise cloud environments.

Tenable's findings were first presented in a session by Matan at Black Hat USA in August called "The GCP Jenga Tower: Hacking Millions of Google's Servers With a Single Package (and More)," — one a Dark Reading expert advised not to miss at the conference. However, he published his full analysis on Tenable's blog only this week.

**Risky Documentation Leads to Flaw**

The first sign of the flaw was Google documentation regarding GCP and the Python Software Foundation that introduced the possibility of dependency confusion in cloud deployments, according to Tenable. The researchers dug further and found that Google itself applied the same risky implementation advice to GCP, introducing the flaw.

Specifically, Google advised users who want to use private Python packages in the GCP services App Engine, Cloud Function and Cloud Composer services to use what's called the "--extra-index-url" argument.

"This argument looks for the public registry (PyPI) in addition to the specified private registry from which the application or user intends to install the private dependency," Matan explained. "This behavior opens the door for attackers to carry out a dependency confusion attack."

The researchers inferred that there are "numerous GCP customers" who followed Google's risky guidance, as well as ultimately discovered that Google itself took its own advice when installing private packages in their own internal services.

Specifically, Tenable researchers found that Google used the risky --extra-index-url argument to install a private code package missing from the public registry in a way "that allows attackers to upload a malicious package to the public registry, and take over the pipeline," Matan wrote.

**Google Fix & Other Mitigations**

The researchers responsibly disclosed both the documentation and the CloudImposer RCE vulnerability to Google, which promptly responded and took action, according to Tenable. Specifically, Google fixed the vulnerable script in Google Cloud Composer that was utilizing the --extra-index-url argument when installing a private package from a private registry.

The company also inspected the checksum of vulnerable package instances and notified Tenable that, as far as Google knows, there is no evidence that the CloudImposer was ever exploited, Matan noted.

Google also acknowledged that while the exploit code that Tenable developed ran in Google's internal servers, it's likely that it would not have run in customers' environments because it wouldn't pass the integration tests.

Further, the company fixed the risky documentation, now recommending that GCP customers use the --index-url argument instead of the --extra-index-url argument, and the tech giant has adopted Tenable's suggestion to recommend that GCP customers use the GCP Artifact Registry's virtual repository to safely control the Python package manager search order, Matan noted.

GCP customers should analyze their environments for their package installation process to prevent breaches, specifically searching for the use of the --extra-index-url argument in Python to ensure they are not vulnerable to a dependency confusion attack.

Matan concluded: "A combination of responsible security practices by both cloud providers and cloud customers can mitigate many risks associated with cloud supply chain attacks."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

'CloudImposer' Flaw in Google Cloud Affected Millions of Servers

Genetic testing company 23andMe will pay $30 million over a 2023 data breach which ended in millions of customers having data exposed.

Genetic testing company 23andMe will pay $30 million to settle a class action lawsuit over a 2023 data breach which ended in some customers having information like names, birth years, and ancestry information exposed.

In October 2023, we reported on how information belonging to as many as seven million 23andMe customers turned up for sale on criminal forums following a credential stuffing attack against 23andMe.

23andMe said that cybercriminals had stolen profile information that users had shared through its DNA Relatives feature, an optional service that lets customers find and connect with genetic relatives.

In December 2023, 23andMe admitted that some genetic and health data might have been accessed during that breach. To dodge responsibility, the company wrote a letter to legal representatives of those affected by the breach, laying the blame at the feet of victims themselves.

23andMe also neglected to tell customers with Chinese and Ashkenazi Jewish ancestry that the cybercriminal appeared to have specifically targeted them, posting their information for sale on the dark web.

In January 2024, customers filed a class action lawsuit against 23andMe in a San Francisco court, alleging the company failed to protect their privacy. The result of that lawsuit is the settlement.

What immediately jumped out in the settlement is the title of one of the chapters:

> “THE SETTLEMENT IS THE RESULT OF ZEALOUS ADVOCACY AND SKILLFUL NEGOTIATION”

What does that mean? Well, the $30 million is apparently all that 23andMe can afford to pay. And that’s only because the expectation is that cyberinsurance will cover $25 million.

The market value of the company has plummeted, and revenue declined. This decline had already set in prior to the incident, but it definitely didn’t help to improve the situation.

The court has not yet approved the settlement, but it’s expected that 23andMe will pay $30 million into a fund for customers whose data was compromised, as well as provide them with identity and genetic monitoring.

Other countries, like Canada and the UK have announced they will undertake a joint investigation into the data breach.

According to Malwarebytes’ data, over 3 million people were affected by the data breach, so none of the victims should expect to get rich because of this settlement.

On the dark web, the data is offered for sale in three separate data sets. A general set that includes 2,763,569 records, one belonging to Ashkenazi-based users (835,708 records), and one allegedly belonging to China-based users of 23andMe (68,541 records).

If you want to find out if your personal data was exposed through this breach, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you used to register and 23andMe) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 23andMe to pay $30 million in settlement over 2023 data breach 

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

**IFSC Code Finder Portal 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

IFSC Code Finder Portal version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4c8714f261d6bcdc7f5ee89b4f1473342ced816a03f174b9a8bc607a329616e0

Download | Favorite | View

**IFSC Code Finder Portal 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : IFSC Code Finder Portal v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/ifsc-code-finder-project-using-php/                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = Test@123[+] http://127.0.0.1/ifscfinder/admin/login.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

IFSC Code Finder Portal 1.0 Insecure Settings

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

**GYM Management System 1.0 Insecure Settings**

Posted Sep 16, 2024

Authored by indoushka

GYM Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 5ee11f413d4f6dbbb71c2d782424145f8284d96790518d7c0e3923c5bd409844

Download | Favorite | View

**GYM Management System 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : GYM Management System 1.0 Insecure Settings Vulnerability                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/gym-management-system-using-php-and-mysql/                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin@gmail.com      Password: Test@123[+] http://127.0.0.1/agms/admin/dashboard.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,759)
*   Arbitrary (17,063)
*   BBS (2,859)
*   Bypass (1,915)
*   CGI (1,047)
*   Code Execution (7,895)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,423)
*   DoS (25,236)
*   Encryption (2,394)
*   Exploit (54,214)
*   File Inclusion (4,273)
*   File Upload (1,012)
*   Firewall (822)
*   Info Disclosure (2,913)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,272)
*   Local (14,848)
*   Magazine (587)
*   Overflow (13,212)
*   Perl (1,435)
*   PHP (5,262)
*   Proof of Concept (2,409)
*   Protocol (3,749)
*   Python (1,656)
*   Remote (31,860)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,046)
*   Shell (3,303)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,716)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (673)
*   Vulnerability (33,064)
*   Web (10,136)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,290)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,120)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,142)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,780)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,828)
*   UNIX (9,454)
*   UnixWare (188)
*   Windows (6,766)
*   Other

Tag

#cisco