The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Tuesday, October 8, 2024 15:04

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.  

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.   

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.  

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.  

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. 

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.  

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process. 

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution. 

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database. 

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.  

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet. 

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.  

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

*   CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel 
*   CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component     
*   CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port 
*   CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows  
*   CVE-2024-43609: Spoofing vulnerability in Microsoft Office 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

San Francisco, CA, 8th October 2024, CyberNewsWire

**San Francisco, CA, October 8th, 2024, CyberNewsWire**

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**Badge Inc****.**, the award-winning privacy company enabling Identity without Secrets™, today announced a partnership with CyberArk and the public release of its integration in the CyberArk Marketplace.

According to the CyberArk website: The Badge CyberArk Identity integration allows specified users to authenticate into CyberArk Identity and its downstream apps and services, using Badge. This enables user-centric privacy, allowing users to issue and revoke digital identity and keys on-demand using biometrics and/or other factors.

The blog post mentions that privileged users hold highly sensitive access credentials and face an ever-increasing threat surface. This has made these users and their credentials prime targets for cyber-attacks. By leveraging Badge’s technology to eliminate the storage of user credentials, organizations benefit unprecedented security, while maintaining a great user experience.

> Archit Lohokare, CyberArk’s GM for Workforce Solutions, “CyberArk is excited to partner with Badge and offer this new integration. It is an important step forward in our mission to deliver comprehensive identity security solutions across all identities and all environments. Badge’s expertise in eliminating stored secrets and removing friction in difficult use cases complements our identity security platform.”

**Integration to CyberArk Marketplace**

Badge and CyberArk are launching a new integration that: 

1.  Enables unprecedented multi-factor authentication experience across all channels, including new and shared devices,
2.  Offers next-generation privacy technology and a more streamlined user experience to customers
3.  Brings phishing-resistant authentication to account recovery workflows.

> “We’re proud to partner with CyberArk. This integration represents a pivotal step forward in the quest to defeat cyber threats targeting privileged accounts. Stored privileged credentials are a high-target vulnerability, and eliminating this weak point is a big step forward. It also underscores the importance of innovative cybersecurity solutions and demonstrates how advancements in technology can be leveraged to enhance security measures across the board,” said Dr. Tina P. Srivastava, Badge Co-founder. “By addressing the vulnerabilities associated with traditional authentication methods like passwords, organizations can protect their most critical assets more effectively, ensuring that their ‘keys to the kingdom’ remain out of reach from cyber adversaries.”

As cyber threats evolve, so are the approaches to cybersecurity. Together, Badge and CyberArk are helping businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**About CyberArk** 

CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

**About Badge**

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. To learn more: **www.badgeinc.com****.**

**Contact**

**Media Contact**  
**John O’Brien**  
**SBS Comms**  
**\[email protected\]**

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

The largest publicly traded water utility in the US was forced to disconnect some of its online systems, and its website and telecommunications system remained unavailable as of Tuesday morning, Oct. 8.

Source: Juri Samsonov via Alamy Stock Photo

The website of the largest publicly traded water utility in the US remained offline this morning after a cyberattack Oct. 3 forced the company to shut down some of its connected systems and services.

American Water is a significant supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employees about 6,500 people across its facilities. It discovered "unauthorized activity within its computer networks and systems" on Oct. 3 that turned out to be the result of a cybersecurity incident, the company reported in a Form 8-K filing with the US Securities and Exchange Commission.

The company activated incident-response protocols and enlisted third-party cybersecurity experts to help it contain and mitigate the attack, which included disconnecting and deactivating "certain" systems to "protect" systems and data, it reported.

**Online, Telecom Systems Affected**

The outages appear to have included the company's online customer-facing sites, as the American Water website as well as its "MyWater" customer portal served up white pages with "Forbidden 403" text today.

An attendant who answered a Dark Reading phone call to American Water's headquarters in Camden, N.J., early on Oct. 8 said she was unable to connect to a member of the media relations team, nor leave a message for anyone because the telecommunications system also "is down."

At this time, it seems that none of the company's water or wastewater facilities or operations have been negatively affected by the incident, although it's too soon to predict the full impact and material effect it will have on the company, according to the filing. An investigation alongside law enforcement officials remains ongoing as to the exact cause and extent of the damage.

**Utilities Under Attack**

Critical infrastructure such as the public water supply and electricity grid both in the US and overseas face increasing risk of attack from threat actors, incidents that have the potential to not only affect network infrastructure or financial coffers, but also cause supply shortages or even physical harm.

The now-infamous May 2021 ransomware attack on Colonial Pipeline is a prime example of the former, while a February 2021 attack on a Florida water-treatment facility, which potentially could have poisoned the water supply if an employee hadn't acted quickly, demonstrates the latter.

“We often overlook how vulnerable our everyday essentials are to digital threats," observes Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck (formerly known as Synopsys Software Integrity Group). "We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks, and potentially risk public health."

**Regulatory Effort Stalled**

Unsurprisingly concerned, US federal authorities have put a concerted effort into to doing more to ensure cybersecurity measures at water utilities are a mandatory effort, as nearly 70% of the United States' community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA).

In fact, the EPA planned to ramp up efforts to enforce the act and other regulatory efforts to ensure better cybersecurity safety across water utilities in May. However, the agency had to roll back these actions last year after it faced litigation from Republican lawmakers and industry groups. Other agencies like CISA have advanced cybersecurity guides for the water sector in the wake of that failed effort.

Prevention of cybersecurity attacks through infrastructure security is indeed the key to ensuring critical services such as the ones utilities offer remain safe, as "protecting these systems is no longer optional now," but "critical to keep things running smoothly and safely," Mittal says.

As this is too late in the case of American Water, he adds, the key to recovering quickly from the incident now will be in taking quick actions to contain the attack, getting all systems back online in a reasonable time frame, and being transparent with the public about what happened.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

American Water Suffers Network Disruptions After Cyberattack

Torrance, United States / California, 7th October 2024, CyberNewsWire

**Torrance, United States / California, October 7th, 2024, CyberNewsWire**

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has partnered with Hybrid Analysis, a platform that provides advanced malware analysis and threat intelligence, to enhance threat research.

This collaboration integrates Criminal IP’s advanced domain scanning capabilities into the Hybrid Analysis platform, providing security professionals with deeper insights and more effective threat mitigation strategies.

**Comprehensive Malware and Domain Analysis**

Hybrid Analysis employs dynamic and static techniques for thorough malware analysis. Real-time execution environments and memory dumps generate annotated disassembly listings and critical Indicators of Compromise (IOCs).

Criminal IP specializes in real-time domain scanning, scrutinizing domains for phishing, malware, and illicit activities. Integration enriches threat profiles, improving threat detection accuracy.

**Key Benefits of the Collaboration:**

*   **Enhanced Threat Profiling**: Security professionals can gain deeper insights into the origins and behaviors of threats identified through Hybrid Analysis, enriched with Criminal IP’s data.
*   **Real-Time Domain Analysis**: Integration with Criminal IP enables users to conduct real-time scans on domains of interest, which is crucial for accurately identifying emerging threats promptly.
*   **Comprehensive Security Insights**: Users gain access to detailed domain attributes such as phishing records, abuse incidents, and detection of embedded malicious code, enhancing their ability to analyze for signs of Domain Generation Algorithms (DGA) and phishing probabilities.
*   **Interactive Score Card**: Users can quickly assess domain status, accessing additional details directly from Criminal IP database to make informed decisions based on the latest threat intelligence.

**Criminal IP’s Advanced Real-Time Threat Detection**

In addition to this comprehensive maliciousness result, uses seeking information about each component and false positives can visit Criminal IP.

<Example of Criminal IP Domain Search for malicious URL>

The URL scan feature allows users to extract a wealth of data, including network logs, associated IP addresses, malicious links, and website vulnerabilities.

Users of Criminal IP Domain Search can access valuable insights such as technology usage specifics, abuse records, and identified CVE vulnerabilities, all conveniently consolidated on a single page.

This robust search engine offers three customizable subscription plans—Lite, Medium, and Pro—including a Free membership option.

To determine the most suitable plan based on user’s volume of IP Lookup and URL Scan/Lookup requirements, users can explore the Free membership, monitor their credit usage through a user-friendly dashboard, and take advantage of key features for gaining valuable insights.

**About AI SPERA**

AI SPERA, a leader in Cyber Threat Intelligence (CTI) solutions, significantly expanded its reach by launching its flagship solution, Criminal IP, in 2023.

Since then, the company has formed technical and business collaborations with over 40 renowned global security firms, including Hybrid Analysis, VirusTotal, Cisco, Tenable, Sumo Logic, and Quad9.

Besides the CTI search engine, the company offers Criminal IP ASM, a SaaS-based Attack Surface Management Solution on AWS Marketplace and Azure Marketplace, and Criminal IP FDS, an AI-based Anomaly Detection Solution for credential stuffing prevention and fraud detection.

Available in five languages (English, French, Arabic, Korean, and Japanese), the search engine provides a powerful service for users worldwide.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The…

DoJ and Microsoft seized over 100 sites used by Russian hackers for phishing campaigns targeting the U.S. The coordinated effort aims to disrupt state-backed cyber attacks and protect sensitive American data.

The U.S. Department of Justice (DoJ) has revealed that it successfully took down 41 malicious websites allegedly operated by Russian intelligence agents and their collaborators. The seized domains were reportedly being used to conduct malicious cyber activities, including targeting American institutions, in what authorities have called a “sophisticated and ongoing” campaign to exploit sensitive data.

According to the DoJ, the seized domains were being used by a group known as the “**Callisto Group**,” an operational unit within the Russian Federal Security Service (FSB). The group is accused of orchestrating spear-phishing campaigns—targeted email attacks designed to deceive recipients into revealing login credentials. The aim was to gain unauthorized access to confidential information from government entities and other high-value targets.

This action is part of a bigger effort to fight cybercrime in the U.S. and lines up with Microsoft’s latest **announcement** about taking control of 66 similar domains managed by the same group.

Deputy Attorney General Lisa Monaco highlighted the importance of the collaborative effort, **saying**, “Today’s seizure of 41 internet domains reflects the Justice Department’s cyber strategy in action—using every tool at our disposal to disrupt and deter state-sponsored cyber actors.”

She emphasised and claimed that the Russian government used these domains to impersonate legitimate entities and lure victims into a trap. With the help of private partners like Microsoft, Monaco stated that the Department of Justice is committed to exposing such actors and stripping them of their illicit capabilities.

****Microsoft’s Role in the Joint Effort****

Microsoft played a key role in this operation, filing a civil suit to seize 66 domains also linked to the Callisto Group, which Microsoft internally refers to as “Star Blizzard.” The company’s Threat Intelligence unit reported that, between January 2023 and August 2024, Star Blizzard was involved in targeting over 30 civil society organizations, including journalists, think tanks, and NGOs, in an attempt to exfiltrate sensitive information.

> _“Together, we have seized more than 100 websites. Rebuilding infrastructure takes time, absorbs resources, and costs money. By collaborating with the DOJ, we have been able to expand the scope of disruption and seize more infrastructure, enabling us to deliver greater impact against Star Blizzard “While we expect Star Blizzard to always be establishing new infrastructure, today’s action impacts their operations at a critical point in time when foreign interference in U.S. democratic processes is of utmost concern.”_
> 
> Microsoft

The **affidavit** (PDF) supporting the domain seizures reveals a sophisticated operation targeting numerous individuals and organizations, ranging from former U.S. government employees to defence contractors and Department of Energy staff. These actions, authorities say, were part of an effort to infiltrate key sectors and gather valuable intelligence.

****Callisto Group****

The Callisto Group, tracked by Microsoft under the alias “Star Blizzard” (previously known as SEABORGIUM or COLDRIVER), has become notorious for its consistent use of **spear-phishing tactics**.

These attacks often disguise themselves as legitimate communications, tricking victims into providing login information. The group reportedly targeted individuals linked to the U.S. Intelligence Community, as well as contractors working with sensitive U.S. agencies.

Back in December 2023, two individuals associated with the Callisto Group were **charged** by the DoJ: Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets, both linked to FSB Center 18. The indictment accused them of participating in a coordinated hacking campaign against U.S., U.K., NATO member nations, and Ukrainian entities, on behalf of the Russian government.

A phishing email from Callisto Group (Via Microsoft)

It is also worth mentioning that in August last year, INTERPOL dismantled the infamous ’**16shop**’ which served as a Phishing-as-a-Service (PaaS) platform. This was followed by the seizure of another Phishing-as-a-Service platform **BulletProftLink** in November 2023.

Commenting on this, **Casey Ellis**, Founder and Chief Strategy Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity said, _“_The takedown serves a few purposes: Disrupting existing operations, their infrastructure, and their operatives. It puts ColdRiver, and others, “on notice” that their activities are being detected and that they aren’t operating with impunity, which has the benefit of sowing internal doubt and confusion within the operation, which will chill their activities for a while._“_

_“_Importantly, the announcement and the amount of signalling the USG is doing around this takedown is intended to send a message, both to foreign adversaries as well as those being protected here – Russia is a real adversary, with real cyber-operations underway_,”_ Casey warned.

This latest seizure goes on to show how authorities are not only responding to cyberattacks but also proactively dismantling the infrastructure behind these attacks. Additionally, the ongoing collaboration between the Justice Department, FBI, Microsoft, and other agencies also shows how the government and private sector together can curb cybercrime faster.

1.  **Finnish Dark Web Marketplace PIILOPUOTI Seized**
2.  **Ragnar Locker Ransomware Dismantled, Key Suspect Arrested**
3.  **Indian call center seized over Amazon scam against US citizens**
4.  **Ukrainian Hackers Breach Email of APT28 Leader, Wanted by FBI**
5.  **SSNDOB Cybercrime Market Seized in Intl. Coordinated Operation**

DoJ, Microsoft Seize 100 Russian Phishing Sites Targeting US

Despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice.

Thursday, October 3, 2024 14:00

Government-run water systems and other critical infrastructure are still at risk from state-sponsored actors, according to a renewed warning from the U.S. Cybersecurity and Infrastructure Security Agency.  

CISA released an advisory last week on the matter of days after a small water treatment facility in Kansas was forced into manual operations after a cyber attack.  

I feel like this is just the latest in a string of warnings that we’ve been talking about since the Colonial Pipeline attack in 2021 that forced a gasoline shortage across the Eastern U.S. We’ve been discussing the importance of defending critical infrastructure for years now, so what’s new now? 

For starters, it seems like the frequency of these attacks seems to be on the rise. And many efforts to regulate cybersecurity policies and procedures in the industry have thus far fallen flat. 

The White House is reportedly working on rolling out a second wave of cybersecurity recommendations for water treatment facilities on the back of the attack in Kansas that affected the public water supply of 11,000 people. Although the cyber attack did not actually affect anyone from getting their water, it does raise the question of how much of an issue this could be if a state-sponsored actor were to target a facility in a town with a larger population, or if there weren’t backup plans in place to operate the facility manually.  

The U.S. Environmental Protection Agency (EPA) said last year that it had to pull a memo outlining cybersecurity standards at water treatment plants because of constant legal action from state and federal lawmakers and private water companies. And the American Water Works Association (a non-profit lobbying organization representing more than 50,000 members) has advocated for facilities and groups like the AWWA to write their own cybersecurity policies rather than relying on the U.S. government.  

All of that is to say, despite what lessons we thought we learned from Colonial Pipeline, none of those lessons have been able to be put into practice, and we’re still where we were with cybersecurity policies and regulations three years ago.  

Despite urging from the industry and some lawmakers, I’ve yet to see these groups write any of their own policies, so even if they have that power, they don’t seem to be taking advantage of it. So when CISA puts out this type of alert again in a few months after whatever future incident lies ahead, I would expect to see more action from all parties involved rather than another round of words warning that attacks can, and will, happen. 

**The one big thing **

Talos has recently observed an attack leading to the deployment of a MedusaLocker ransomware variant known as “BabyLockerKZ.” This actor has been active since at least late 2022 and targets organizations worldwide, although the number of victims was higher than average in EU countries until mid-2023 and, since then, in South American countries. We assess with medium confidence that the actor is financially motivated, likely working as an IAB or an affiliate of a ransomware cartel. 

**Why do I care? **

The actor behind these attacks seems to be particularly active, infecting more than 100 organizations per month, according to Talos telemetry. This reveals the professional and highly aggressive nature of the attacks and is coherent with the activity we would expect from an IAB or ransomware affiliate. As with any ransomware, BabyLockerKZ looks to encrypt targets’ files and lock them down until the target pays the request ransom.  

**So now what? **

Talos has released several new Snort rules and ClamAV signatures that detect the activity of this group and BabyLockerKZ. This group is also known to use several publicly available tools in their attacks, such as Mimikatz, which are well-known to the security community at this point. For more on living-off-the-land binaries (LoLBins) that attackers like this one are increasingly using, read our blog post here.  

**Top security headlines of the week **

**International law enforcement agencies worked together to arrest and unmask four individuals believed to be associated with the LockBit ransomware group.** As part of this campaign, investigators have also linked one of the LockBit members to Evil Corp, a Russian-backed cybercrime gang. At a press conference announcing the arrests, representatives from the U.K.’s National Crime Agency said that Evil Corp maintained a “privileged” relationship with the Russian government and was often asked to carry out targeted cyber attacks against NATO countries. LockBit is traditionally associated with financially motivated ransomware attacks targeting private companies, regardless of the country in which they reside. Europol, the U.K. NCA, the U.S. FBI and Japan’s National Police have also worked together to create and release a decryptor that can unlock files affected by the LockBit ransomware. The same agencies have been working since last year to target and seize assets and servers belonging to LockBit. The threat actor has taken credit for several major attacks over the past several years, including those targeting Boeing, Volkswagen, multiple major international ports and government-owned computers in Fulton County, Georgia. (Europol, TechCrunch) 

**The latest version of the U.S.’s National Institute of Standards and Technology’s password recommendations drop complexity in favor of length.** NIST’s latest version of its Password Guidelines removes the recommendations that passwords use a mixture of character types and that they be changed often. Instead, the draft states that credential service providers (CSPs) recommend users create passwords between 15 and 64 characters that may include ASCII or Unicode characters. The previous version of the NIST standards led many users to adopt easy-to-guess passwords such as “Password1234!” or store the complicated passwords in easy-to-access places, such as written down on a piece of paper near their computer. CSPs are also instructed to drop knowledge-based authentication or security questions when selecting passwords. NIST standards are important because they formalize principles widely adopted by the U.S. government and major technology companies like Microsoft and Google. The latest draft also states that users only need to change their passwords in the event of a publicly reported data breach. (Infosecurity Magazine, Dark Reading) 

**A vulnerability in a web app from car manufacturer Kia could allow an attacker to view a car’s license plate, unlock the doors, and even remotely start the ignition.** The since-patched vulnerability in Kia’s web portal could allow attackers to essentially build and deploy their own web app and reassign control of the internet-connected features of most modern Kia vehicles. The vulnerability could have allowed an adversary to immediately ping the location of a targeted vehicle, process its license plate number, and even honk the horn. This is the second such vulnerability the group of researchers has disclosed to a Hyundai-owned company in the past two years. The vulnerability highlights the risk that modern vehicles come with, many of which rely on internet connectivity for some of their features or interface with web apps, websites or mobile phone apps. A proof of concept from the researchers included a dashboard that could allow an attacker to type in a license plate number and then retrieve the owner’s personal information, eventually adding themselves as an “owner” of the car and executing commands on the vehicle. (Wired, Security Week) 

**Can’t get enough Talos? **

*   Resurgence of Spam: Cisco Talos Sound Alarm on New Tactics 
*   Critical RCE vulnerability found in OpenPLC 
*   Simple Mail Transfer Pirates: How threat actors are abusing third-party infrastructure to send spam 

**Upcoming events where you can find Talos**

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**it-sa Expo & Congress** **(Oct. 22 - 24)** 

_Nuremberg, Germany_

**White Hat Desert Con** **(Nov. 14)** 

_Doha, Qatar_

**misecCON** **(Nov. 22)** 

_Lansing, Michigan_

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 76491df69a26019139ac11117cd21bf5d0257a5ebd3d67837f558c8c9c3483d8   
**MD5:** b209df2951e29ab5eab4009579b10b8d  
**Typical Filename:** FileZilla\_3.67.1\_win64\_sponsored2-setup.exe   
**Claimed Product:** FileZilla   
**Detection Name:** W32.76491DF69A-95.SBX.TG

**SHA 256:** c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a   
**MD5:** 3bc6d86fc4b3262137d8d33713ed6082   
**Typical Filename:** 8c556f0a.dll   
**Claimed Product:** N/A   
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** f0d7a2bb0c5db162332418747ba4987027b8a746b24c919a24235ff3b70d25e3   
**MD5:** 0d849044612667362bc88780baa1c1b7   
**Typical Filename:** CryptX.dll   
**Claimed Product:** N/A    
**Detection Name:** Gen:Variant.Lazy.605353 

**SHA 256:** 331fdf5f1f5679a6f6bb0baee8518058aba8081ef8f96e57fa3b74291fcbb814   
**MD5:** f23b90fc9bc301baf3e399e189b6d2dc   
**Typical Filename:** B.dll   
**Claimed Product:** N/A     
**Detection Name:** Gen:Variant.Lazy.605353

CISA is warning us (again) about the threat to critical infrastructure networks

San Francisco, United States / California, 3rd October 2024, CyberNewsWire

**San Francisco, United States / California, October 3rd, 2024, CyberNewsWire**

Doppler, the leading platform in secrets management, today announces the launch of **Change Requests**, a new feature providing engineering teams with a secure, auditable approval process for managing and controlling secret changes across environments. Designed to enhance security, compliance, and team collaboration, **Change Requests** gives organizations the tools to mitigate the potential risks from misconfigurations or unauthorized changes and maintain a comprehensive audit trail of all secret modifications. This launch comes at a time when organizations are facing increased security and compliance demands, particularly in managing sensitive information.

As security breaches and insider threats continue to rise, managing secrets has become a growing challenge for teams of all sizes; protecting sensitive information at every stage of the software development lifecycle is critical. According to a recent study by Cybersecurity Ventures, cybercrime damages are expected to cost the world $9.5 trillion in 2024 alone, and compromised secrets and misconfigurations remain significant factors in these attacks. In 2023, GitGuardian reported that there were 12.8 million incidents of exposed secrets on Github which is an increase of 28% from 2022, highlighting the need for tighter controls over sensitive information.

Doppler’s **Change Requests** is designed to address these risks by introducing a formalized, auditable approval process for secrets management. This feature offers teams a centralized and controlled way to manage changes to sensitive information while maintaining full visibility into who made updates and when.

**Addressing Needs for Security and Compliance**

*   **Reducing Misconfiguration:** According to the most recent Verizon Data Breach Investigation Report, breaches as a result of errors grew by 28%. By treating secret changes like code, Doppler seeks to help companies decrease this number and reduce the chances of misconfigurations reaching production. With Change Requests, organizations can require peer reviews and approvals for every configuration change to ensure all updates undergo proper scrutiny before being deployed.
*   **The Growing Compliance Burden:** Cybersecurity standards are increasingly holding companies accountable for how they handle sensitive data. Organizations need clear audit trails and compliance-friendly processes. Paired with detailed activity logging, Change Requests further eases the burden teams face by keeping a complete, auditable trail of every request, review, and change, providing a fully traceable history.
*   **Enforce Security with Controlled Access:** As teams grow, so does the complexity of managing secrets. Organizations can safeguard sensitive secrets with custom roles and user groups by enforcing a structured approval process, ensuring only authorized personnel can make critical updates. This helps prevent unauthorized changes and boosts their overall security posture while keeping teams nimble.

**Building Trust Through Security**

> “It’s incredibly exciting to ship our most demanded feature by both developers and enterprises! Just as pull requests have increased the level of trust with production code, Doppler will fill that long awaited gap with secrets,” said **Brian Vallelunga**, CEO of Doppler. “I’m confident that Doppler’s Change Requests is going to establish a new paradigm for managing secrets securely at enterprise scale—undergoing approval, maintaining a rich audit trail for security and compliance, and integrating natively with production infrastructure for uninterrupted, no-downtime rollouts.”

**Availability**

The Change Requests feature is available now for all users on Doppler’s Enterprise plan. To learn more about implementing Change Requests and how it can improve the organization’s security and compliance efforts, users can visit Doppler’s documentation.

**About Doppler**

Doppler is the leading platform for managing secrets such as environment variables, API keys, and tokens in a centralized, secure, and scalable way. Trusted by thousands of security-conscious teams around the world, Doppler provides developers with the tools they need to keep secrets in sync across every app, service, and infrastructure. Built with security in mind, Doppler offers robust integrations, comprehensive logging, and enterprise-grade encryption to ensure sensitive data remains protected throughout its lifecycle.

**Contact**

**Doppler Press**  
**\[email protected\]**

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

**dizqueTV 1.5.3 Remote Code Execution**

Posted Oct 3, 2024

Authored by Ahmed Said Saud Al-Busaidi

dizqueTV version 1.5.3 suffers from a remote code execution vulnerability.

tags | exploit, remote, code execution

SHA-256 | b18cb14167c97952ef1684789d6a48b83e5c1338a0677edc0b3eaef195497b45

Download | Favorite | View

**dizqueTV 1.5.3 Remote Code Execution**

    # Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE)# Date: 9/21/2024# Exploit Author: Ahmed Said Saud Al-Busaidi# Vendor Homepage: https://github.com/vexorian/dizquetv# Version: 1.5.3# Tested on: linuxPOC:## Vulnerability DescriptiondizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers.## STEPS TO REPRODUCE1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'"3. click on update4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

**File Tags**

*   ActiveX (933)
*   Advisory (87,037)
*   Arbitrary (17,123)
*   BBS (2,859)
*   Bypass (1,932)
*   CGI (1,049)
*   Code Execution (7,927)
*   Conference (693)
*   Cracker (845)
*   CSRF (3,438)
*   DoS (25,312)
*   Encryption (2,395)
*   Exploit (54,379)
*   File Inclusion (4,278)
*   File Upload (1,026)
*   Firewall (822)
*   Info Disclosure (2,927)
*   Intrusion Detection (921)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,313)
*   Local (14,866)
*   Magazine (587)
*   Overflow (13,229)
*   Perl (1,435)
*   PHP (5,293)
*   Proof of Concept (2,415)
*   Protocol (3,753)
*   Python (1,664)
*   Remote (31,931)
*   Root (3,674)
*   Rootkit (530)
*   Ruby (643)
*   Scanner (1,660)
*   Security Tool (8,055)
*   Shell (3,310)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,739)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,135)
*   Web (10,147)
*   Whitepaper (3,785)
*   x86 (970)
*   XSS (18,308)
*   Other

**File Archives**

*   October 2024
*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,115)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,132)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,599)
*   HPUX (881)
*   iOS (390)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,415)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,936)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,896)
*   UNIX (9,464)
*   UnixWare (188)
*   Windows (6,782)
*   Other

dizqueTV 1.5.3 Remote Code Execution

Malwarebytes Browser Guard now warns users about recent data breaches, as well as automatically opting users out of tracking cookies.

Two things are true of data online: It will be collected and, just as easily, it will be lost. 

But a major update to Malwarebytes Browser Guard will better protect users from opaque data collection that happens every day online, as well as raising their awareness about corporate data breaches that have left their sensitive information vulnerable to harm.    

First, Browser Guard will now send helpful notifications to users when they visit a website belonging to a company that has suffered a proven data breach in the past 90 days. While everyday users might already know about some of the largest breaches in recent history—AT&T comes to mind—it can be nearly impossible to keep track of every single company that has lost user data in the past.  

With these new data breach notifications, Browser Guard will warn users about recent data breaches they perhaps never heard about, from the 2.2 million people affected by the breach of Rite Aid, to the 1.7 million people affected by the breach of Slim CD, to the 500,000 people affected by the breach of the Texas Dow Employees Credit Union.  

Importantly, Browser Guard will not send repeat notifications that pester return users. The notifications will also include direct access to the Malwarebytes Digital Footprint Portal, allowing users to check in real time whether their data was included in any flagged breach.  

In a second, added feature, Browser Guard is also making it easier to stay private online by automatically opting users out of data collection performed by tracking cookies that are littered across the internet, with no extra effort required on users’ behalf.

These types of cookies are present on nearly every single website that people visit today, from Google to Facebook to YouTube to Reddit. They are invisible pieces of code that advertisers use to track user activity even after they leave a website.

This data, when collected in aggregate, can reveal a person’s age, gender, hometown, relationship status, political beliefs, and so much more. And it’s precisely this data that advertisers want, as it helps them micro-target their ads to, say, new dads in Overland Park, Kansas, looking for a lawnmower, or, first-time homeowners in San Francisco needing a washer and dryer that fit in a small space.

For more than a decade, this type of data collection happened invisibly, but when the European Union passed a sweeping set of data protection rights in 2016, much of that changed.

Following the passage of the law (referred to in short as GDPR), users began to see cumbersome popups everywhere across the web that asked about “cookie preferences”—preferences around how these invisible trackers would collect information both for the website itself and for the advertisers using that website to deliver ads.

With the latest Browser Guard update, cookie consent forms will now be auto-rejected, thus requesting the site to honor the most privacy-preserving settings.

What people experience is a simpler and less aggravating internet, where they’re no longer forced to manage yet another aspect of their privacy.

**Download for Free today:**

For a live look at the new Browser Guard, see the video below.

Tag

#cisco