The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb.
"A

Vulnerability / Network Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as **CVE-2024-23113** (CVSS score: 9.8), relates to cases of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb.

"A use of externally-controlled format string vulnerability \[CWE-134\] in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," Fortinet noted in an advisory for the flaw back in February 2024.

As is typically the case, the bulletin is sparse on details related to how the shortcoming is being exploited in the wild, or who is weaponizing it and against whom.

In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the vendor-provided mitigations by October 30, 2024, for optimum protection.

**Palo Alto Networks Discloses Critical Bugs in Expedition**

The development comes as Palo Alto Networks disclosed multiple security flaws in Expedition that could allow an attacker to read database contents and arbitrary files, in addition to writing arbitrary files to temporary storage locations on the system.

"Combined, these include information such as usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls," Palo Alto Networks said in a Wednesday alert.

The vulnerabilities, which affect all versions of Expedition prior to 1.2.96, are listed below -

*   **CVE-2024-9463** (CVSS score: 9.9) - An operating system (OS) command injection vulnerability that allows an unauthenticated attacker to run arbitrary OS commands as root

*   **CVE-2024-9464** (CVSS score: 9.3) - An OS command injection vulnerability that allows an authenticated attacker to run arbitrary OS commands as root

*   **CVE-2024-9465** (CVSS score: 9.2) - An SQL injection vulnerability that allows an unauthenticated attacker to reveal Expedition database contents

*   **CVE-2024-9466** (CVSS score: 8.2) - A cleartext storage of sensitive information vulnerability that allows an authenticated attacker to reveal firewall usernames, passwords, and API keys generated using those credentials

*   **CVE-2024-9467** (CVSS score: 7.0) - A reflected cross-site scripting (XSS) vulnerability that enables execution of malicious JavaScript in the context of an authenticated Expedition user's browser if that user clicks on a malicious link, allowing phishing attacks that could lead to Expedition browser session theft

The company credited Zach Hanley of Horizon3.ai for discovering and reporting CVE-2024-9464, CVE-2024-9465, and CVE-2024-9466, and Enrique Castillo of Palo Alto Networks for CVE-2024-9463, CVE-2024-9464, CVE-2024-9465, and CVE-2024-9467.

There is no evidence that the issues have ever been exploited in the wild, although it said steps to reproduce the problem are already in the public domain, courtesy of Horizon3.ai.

There are approximately 23 Expedition servers exposed to the internet, most of which are located in the U.S., Belgium, Germany, the Netherlands, and Australia. As mitigations, it's recommended to limit access to authorized users, hosts, or networks, and shut down the software when not in active use.

**Cisco Fixes Nexus Dashboard Fabric Controller Flaw**

Last week, Cisco also released patches to remediate a critical command execution flaw in Nexus Dashboard Fabric Controller (NDFC) that it said stems from an improper user authorization and insufficient validation of command arguments.

Tracked as **CVE-2024-20432** (CVSS score: 9.9), it could permit an authenticated, low-privileged, remote attacker to perform a command injection attack against an affected device. The flaw has been addressed in NDFC version 12.2.2. It's worth noting that versions 11.5 and earlier are not susceptible.

"An attacker could exploit this vulnerability by submitting crafted commands to an affected REST API endpoint or through the web UI," it said. "A successful exploit could allow the attacker to execute arbitrary commands on the CLI of a Cisco NDFC-managed device with network-admin privileges."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

CISA Warns of Critical Fortinet Flaw as Palo Alto and Cisco Issue Urgent Security Patches

The EU AI Act provides a governance, risk, and compliance (GRC) framework that helps organizations take a risk-based approach to using AI.

Source: Vitor Miranda via Alamy Stock Photo

COMMENTARY

As artificial intelligence (AI) becomes increasingly prevalent in business operations, organizations must adapt their governance, risk, and compliance (GRC) strategies to address the privacy and security risks this technology poses. The European Union's AI Act provides a valuable framework for assessing and managing AI risk, offering insights that can benefit companies worldwide.

The EU AI Act applies to providers and users of AI systems in the EU, as well as those putting AI systems on the EU market or using them within the EU. Its primary goal is to ensure that AI systems are safe and respect fundamental rights and values, including privacy, nondiscrimination, and human dignity.

The EU AI Act categorizes AI systems into four risk levels. On one end of the spectrum, AI systems that pose clear threats to safety, livelihoods, and rights are deemed an Unacceptable Risk. On the other end, AI systems classified as Minimal Risk are largely unregulated, though subject to general safety and privacy rules.

The classifications to study for GRC management are High Risk and Limited Risk. High Risk denotes AI systems where there is a significant risk of harm to individuals' health, safety, or fundamental rights. Limited Risk AI systems pose minimal threat to safety, privacy, or rights but remain subject to transparency obligations.

The EU AI Act allows organizations to take a risk-based approach when assessing AI. The framework helps establish a logical approach for AI risk assessments, particularly for High and Limited Risk activities.

**Requirements for High-Risk AI Activities**

High-Risk AI activities can include credit scoring, AI-driven recruitment, healthcare diagnostics, biometric identification, and safety-critical systems in transportation. For these and similar activities, the EU AI Act mandates the following stringent requirements:

1.  Risk management system: Implement a comprehensive risk management system throughout the AI system's life cycle.
    
2.  Data governance: Ensure proper data governance with high-quality datasets to prevent bias.
    
3.  Technical documentation: Maintain detailed documentation of the AI system's operations.
    
4.  Transparency: Provide clear communication about the AI system's capabilities and limitations.
    
5.  Human oversight: Enable meaningful human oversight for monitoring and intervention.
    
6.  Accuracy and robustness: Ensure the AI system maintains appropriate accuracy and robustness.
    
7.  Cybersecurity: Implement state-of-the-art security mechanisms to protect the AI system and its data.
    

**Requirements for Limited and Minimal Risk AI Activities**

While Limited and Minimal Risk activities don't require the same level of scrutiny as High-Risk systems, they still warrant careful consideration.

1.  Data assessment: Identify the types of data involved, its sensitivity, and how it will be used, stored, and secured.
    
2.  Data minimization: Ensure that only essential data is collected and processed.
    
3.  System integration: Evaluate how the AI system will interact with other internal or external systems.
    
4.  Privacy and security: Apply traditional data privacy and security measures.
    
5.  Transparency: Implement clear notices that inform users of AI interaction or AI-generated content.
    

**Requirements for All AI Systems: Assessing Training Data**

The assessment of AI training data is crucial for risk management. Key considerations for the EU AI Act include ensuring that you have the necessary rights to use the data for AI training purposes, as well as implementing strict access controls and data segregation measures for sensitive data.

In addition, AI systems must protect authors' rights and prevent unauthorized reproduction of protected IP. They also have to maintain high-quality, representative datasets and mitigate potential biases. Finally, they must maintain clear records of data sources and transformations for traceability and compliance purposes.

**How to Integrate AI Act Guidelines Into Existing GRC Strategies**

While AI presents new challenges, many aspects of the AI risk assessment process build on existing GRC practices. Organizations can start by applying traditional due-diligence processes for systems that handle confidential, sensitive, or personal data. Then, focus on these AI-specific considerations:

1.  AI capabilities assessment: Evaluate the AI system's actual capabilities, limitations, and potential impacts.
    
2.  Training and management: Assess how the AI system's capabilities are trained, updated, and managed over time.
    
3.  Explainability and interpretability: Ensure that the AI's decision-making process can be explained and interpreted, especially for High-Risk systems.
    
4.  Ongoing monitoring: Implement continuous monitoring to detect issues, such as model drift or unexpected behaviors.
    
5.  Incident response: Develop AI-specific incident response plans to address potential failures or unintended consequences.
    

By adapting existing GRC strategies and incorporating insights from frameworks like the EU AI Act, organizations can navigate the complexities of AI risk management and compliance effectively. This approach not only helps mitigate potential risks but also positions companies to leverage AI technologies responsibly and ethically, thus building trust with customers, employees, and regulators alike.

As AI continues to evolve, so, too, will the regulatory landscape. The EU AI Act serves as a pioneering framework, but organizations should stay informed about emerging regulations and best practices in AI governance. By proactively addressing AI risks and embracing responsible AI principles, companies can harness the power of AI while maintaining ethical standards and regulatory compliance.

**About the Author**

General Counsel, Secureframe

Kyle McLaughlin serves as General Counsel at Secureframe, an all-in-one platform for continuous security compliance. With a proven track record counseling prominent tech companies including Cisco and Duo Security, he specializes in IP issues, security, compliance, and privacy (holding CIPP/E certification). McLaughlin earned his JD from Wayne State University Law School and completed his bachelor's degree in Political Science and English at the University of Michigan.

Risk Strategies Drawn From the EU AI Act

Multimodal AI systems can help enterprise defenders weed out fraudulent emails, even if the system has not seen that type of message before.

Source: Peshkova via Shutterstock

Artificial intelligence (AI) models that work across different types of media and domains — so-called "multimodal AI" — can be used by attackers to create convincing scams. At the same time, defenders are finding multimodal AI equally useful at spotting fraudulent emails and not-safe-for-work (NSFW) materials.

A large language model (LLM) can accurately classify previously unseen samples of emails impersonating different brands with better than 97% accuracy, as measured by a metric known as the F1 score, according to researchers at cybersecurity firm Sophos, who presented their findings at the Virus Bulletin Conference on Oct. 4. While existing email-security and content-filtering systems can spot messages using brands that have been encountered before, multimodal AI systems can identify the latest attacks, even if the system is not trained on samples of similar emails.

While the approach will likely not be a feature in email-security products, it could be used as a late-stage filter by security analysts, says Ben Gelman, a senior data scientist at Sophos, which has joined other cybersecurity firms, such as Google, Microsoft, and Simbian, in exploring new ways of using LLMs and other generative AI models to augment and assist security analysts and to help speed up incident response.

"AI and cybersecurity are merging, and this whole AI-generated attack/AI generated defense \[approach\] is going to become natural in the cybersecurity space," he says. "It's a force multiplier for our analysts. We have a number of projects where we support our SOC analysts with AI-based tools, and it's all about making them more efficient and giving them all this knowledge and confidence at their fingertips."

**Understanding Attackers' Tactics**

Attackers have also started using LLMs to improve their email lures and attack code. Microsoft, Google, and OpenAI have all warned that nation-state groups appear to be using these public LLMs for various tasks, such as creating spear-phishing lures and code snippets used to scrape websites.

As part of their research, the Sophos team created a platform for automating the launch of an e-commerce scam campaign, or "scampaigns," to understand what sort of attacks could be possible with multimodal generative AI. The platform consisted of five different AI agents: a data agent for generating information about the products and services, an image agent for creating images, an audio agent for any sound needs, a UI agent for creating the custom code, and an advertising agent to create marketing materials. The customization potential for automated ChatGPT spear-phishing and scam campaigns could result in large-scale microtargeting campaigns, the Sophos researchers stated in its Oct. 2 analysis.

"\[W\]e can see that these techniques are particularly chilling because users may interpret the most effective microtargeting as serendipitous coincidences," the researchers stated. "Spear phishing previously required dedicated manual effort, but with this new automation, it is possible to achieve personalization at a scale that hasn't been seen before."

That said, Sophos has not yet encountered this level of AI usage in the wild.

Defenders should expect AI-assisted cyberattackers to have better quality social-engineering techniques and faster cycles of innovation, says Anand Raghavan, vice president of AI engineering at Cisco Security.

"It is not just the quality of the emails, but the ability to automate this has gone up an order of magnitude since the arrival of GPT and other AI tools," he says. "The attackers have gotten not just incrementally better, but exponentially better."

**Beyond Keyword Matching**

Using LLMs to process emails and turn them into text descriptions leads to better accuracy and can help analysts process emails that might have otherwise escaped notice, stated Younghoo Lee, a principal data scientist with Sophos's AI group, in research presented at the Virus Bulletin conference.

"\[O\]ur multimodal AI approach, which leverages both text and image inputs, offers a more robust solution for detecting phishing attempts, particularly when facing unseen threats," he stated in the paper accompanying his presentation. "The use of both text and image features proved to be more effective" when dealing with multiple brands.

The capability to process the context of the text in the email augments the multimodal capability to "understand" words and context from images, allowing a fuller understanding of an email, says Cisco's Raghavan. LLMs' ability to focus not just on pinpointing suspicious language but also on dangerous contexts — such as emails that urge a user to take a business-critical action — make them very useful in assisting analysis, he says.

Any attempt to compromise workflows that have to do with money, credentials, sensitive data, or confidential processes should be flagged.

"Language as a classifier also very strongly enables us to reduce false positives by identifying what we call critical business workflows," Raghavan says. "If an attacker is interested in compromising your organization, there are four kinds of critical business workflows, \[and\] language is the predominant indicator for us to determine \[whether\] an email is concerning or not."

So why not use LLMs everywhere? Cost, says Sophos's Gelman.

"Depending on LLMs to do anything at massive scale is usually way too expensive relative to the gains that you're getting," he says. "One of the challenges of multimodal AI is that every time you add a mode like images, you need way more data, you need way more training time, and — when the text and the image models conflict — you need a better model and potentially better training" to decide between the two.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

AI-Augmented Email Analysis Spots Latest Scams, Bad Content

The $4.4 billion in crypto is set to be the largest pile of criminal proceeds ever sold off by the US. The former IRS agent who seized the recording-breaking sum, meanwhile, languishes in a Nigerian jail cell.

In November of 2020, a person identified by the US Department of Justice only as “Individual X” sat down with an IRS agent named Tigran Gambaryan and prosecutors at the US Attorney’s office in San Francisco. That unnamed individual typed out the long string of characters of a Bitcoin private key on Gambaryan’s laptop, allowing Gambaryan to move 69,370 bitcoins from Individual X’s bitcoin address to one controlled by the US government.

Over the four years that it has taken the US government to establish legal ownership of that massive sum of bitcoins—identified by the IRS as stolen proceeds of the Silk Road dark-web drug market—its value has grown to a staggering $4.4 billion dollars. The money's forfeiture appears to have been part of a deal that kept Individual X out of prison, though the terms of that deal have never been publicly disclosed.

Instead, in a bizarre twist of fate, it's Gambaryan, the IRS criminal investigator who traced and seized that record-breaking sum of cryptocurrency, who is sitting in a Nigerian jail as those billions finally end up in US coffers.

On Wednesday, the US Supreme Court declined to hear an appeal to a lower court ruling that the US government can seize Individual X's nearly 70,000 bitcoins, which the person allegedly took from the Silk Road more than a decade ago by exploiting a security vulnerability in the market. That stolen drug money has since been claimed by various parties, most recently by a company called Battle Born Investments that sought to appeal the seizure ruling and claimed to have purchased the Silk Road bitcoins through a bankruptcy proceeding. Only now that this appeal has fizzled, four years after the stolen money was tracked down in an investigation led by Gambaryan at IRS Criminal Investigations, can the US government finally take official possession of the wayward bitcoins, which will likely be auctioned off for dollars by the US Marshals Service, as smaller sums of seized cryptocurrency have in the past.

“The Supreme Court's decision not to hear the case means that this is now is going to be forfeited to the United States government,” says Will Frentzen, one of the US prosecutors who handled the Individual X case and is now an attorney at the legal firm Morrison Foerster. “This is the largest ever forfeiture of crypto that will go to the US Treasury.” In fact, thanks to Bitcoin's wild appreciation in recent years, it appears to be the largest ever criminal seizure of money of _any kind_ to be added to the US federal budget. (A seizure following the theft of 120,000 bitcoins from the cryptocurrency exchange Bitfinex was even larger but will likely be repaid to victims and creditors rather than kept by the government.)

Over those same years, however, Gambaryan has taken an even more unlikely path: In 2021, he left the IRS to take a job as the head of investigations at Binance, the world's largest cryptocurrency exchange—a move seen widely as driven by Binance’s belated attempt to clean up its own widespread use for money laundering, which led the company to pay a $4.3 billion criminal fine to the US government last year. When Nigeria followed that fine by accusing Binance of similar criminal misconduct and devaluing the country's national currency, it was Gambaryan who was invited to Abuja to negotiate with the Nigerian government earlier this year. Instead, the Nigerian government detained Gambaryan, took his passport, and has now jailed him for over six months, charging him with money laundering and tax evasion as a proxy for his employer.

“It's beyond bizarre. It's Twilight Zone every day,” says Frentzen, who now has taken on Gambaryan's case in Nigeria as one of his defense attorneys. “His impact as a federal agent was so extensive and so far reaching that he's been out of the government for three years and yet the American government and the American public are still benefiting from his hard work. And he's languishing in a Nigerian jail cell on trumped-up charges. It's really unfathomable.”

Attention to Gambaryan's case has grown in recent months as lawmakers and US officials have increasingly appealed to the Nigerian government to release him on bail or on medical grounds. Gambaryan has suffered from a worsening herniated disc in his back that requires immediate surgery to prevent permanent injury, according to Frentzen. Yet he's been denied medical care in jail, and a video of him entering a courtroom in Abuja with a crutch seems to show a security guard refusing to help Gambaryan walk or to provide him with a wheelchair despite his pleas.

In June, 16 members of Congress called in an open letter for Gambaryan's case to be treated as a hostage situation, and a resolution introduced in the House Foreign Affairs Committee in July urged the White House to apply pressure to Nigeria to free Gambaryan. “I urge the State Department and I urge President Biden: Turn up the heat on Nigeria,” Arkansas representative French Hill, who visited Gambaryan in jail, said in a hearing last month. “Honor the fact that an American citizen has been snatched by a friendly government and put in prison over something he had no responsibility for.”

Over his 10 years at IRS Criminal Investigations, Gambaryan pioneered federal law enforcement's use of cryptocurrency tracing as an investigative technique, with landmark results: From 2014 to 2017, Gambaryan identified two corrupt federal agents who had enriched themselves with cryptocurrency during their investigation of the Silk Road; helped to track down half a billion dollars worth of bitcoins stolen from early crypto exchange Mt. Gox; had a hand in developing a secret crypto tracing method that located the server hosting the massive AlphaBay dark-web crime market; and helped to take down the Welcome to Video crypto-funded child sexual abuse video network, a case that led to 337 arrests around the world and the rescue of 23 children from exploitative situations.

In the wake of that string of cases, Gambaryan and another IRS Criminal Investigations agent, Jeremy Haynie, began in 2017 to trace the 69,370 bitcoins that appeared to have been stolen from the Silk Road in 2012 and 2013 and had sat almost entirely unmoved in the years since. With the help of blockchain analysis and data from seized servers of the criminal BTC-e crypto exchange—the fruits of another of Gambaryan's investigations—the agents were able to identify Individual X as a hacker who had taken the Silk Road's funds and demand that they forfeit them.

As those funds flow into the federal government's accounts, Frentzen hopes that federal officials who have the power to pressure Nigeria to free Gambaryan will remember where that record sum of money came from. “It should be a crystal-clear reminder of the impact that he's had for the American government and for the American people. To have him locked up while the US Treasury is collecting $4.4 billion because of his work, it's really twisted,” Frentzen says. “We urge the US government to continue to work to secure his release and to do so as fast as possible. And we encourage the Nigerians to do the right thing and release him.”

69,000 Bitcoins Are Headed for the US Treasury—While the Agent Who Seized Them Is in Jail

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

Wednesday, October 9, 2024 12:00

Cisco Talos’ Vulnerability Research team recently disclosed six new security vulnerabilities across a range of software, including one in a popular PDF reader that could lead to arbitrary code execution. 

Foxit PDF Reader, one of the most popular alternatives to Adobe Acrobat, contains a memory corruption vulnerability that could allow an adversary to execute code on the targeted machine. 

Talos also discovered three vulnerabilities in Veertu’s Anka Build, a suite of software designed to test macOS or iOS applications in CI/CD environments.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.

**Use-after-free vulnerability in Foxit PDF Reader**

_Discovered by KPC._

A use-after-free vulnerability in Foxit PDF Reader could lead to memory corruption and eventually arbitrary code execution on the targeted machine.

TALOS-2024-1967 (CVE-2024-28888) can be triggered if an adversary tricks a user into opening a specially crafted PDF that contains malicious JavaScript. Exploitation could also occur if the targeted user visits an attacker-controlled website with the Foxit PDF Reader browser extension enabled.

**Multiple vulnerabilities in GNOME project library could lead to code execution**

Two vulnerabilities in the G Structured File Library (libgsf) could lead to arbitrary code execution. 

This GNOME project supports an abstraction layer around different structure file formats such as .tar and .zip. 

TALOS-2024-2068 (CVE-2024-36474) is an integer overflow vulnerability that could allow an out-of-bounds index to be used when reading and writing to an array. This could lead to arbitrary code execution if an adversary exploited it appropriately. 

TALOS-2024-2069 (CVE-2024-42415) works similarly, but in this case, it arises when the software processes the sector allocation table.

An adversary could exploit both these vulnerabilities by tricking the targeted user into opening a malicious, specially crafted file. 

**Three vulnerabilities in Veertu Anka Build**

_Discovered by KPC._

Veertu’s Anka Build software contains three vulnerabilities, two of which are directory traversal issues. 

Anka Build is a suite of software designed to test macOS and iOS applications in CI/CD environments. The suite is a centralized dashboard for managing nodes, VM instances, templates, tags and logs. 

This software contains two directory traversal vulnerabilities — TALOS-2024-2059 (CVE-2024-41163) and TALOS-2024-2061 (CVE-2024-41922) — that could lead to the disclosure of arbitrary files. An adversary could exploit these vulnerabilities by sending the target a specially crafted HTTP request. 

Another vulnerability, TALOS-2024-2060 (CVE-2024-39755), is a privilege escalation issue that could allow a low-privileged user to force the software to update, potentially raising their access to that of a root user.

Vulnerability in popular PDF reader could lead to arbitrary code execution; Multiple issues in GNOME project

Since April, attackers have increased their use of Dropbox, OneDrive, and SharePoint to steal the credentials of business users and conduct further malicious activity.

Source: JLStock via Shutterstock

Threat actors are upping the ante on business email compromise (BEC) campaigns by combining social engineering with the use of legitimate, cloud-based file-hosting services to create more convincing attacks; the campaigns bypass common security protections and ultimately compromise the identity of enterprise users.

Since April, Microsoft has seen a rise in campaigns that have emerged over the past two years in which attackers weaponize legitimate file-sharing services like Dropbox, OneDrive, or SharePoint, which many enterprises use for workforce collaboration, Microsoft Threat Intelligence warned this week.

"The widespread use of such services … makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures," according to the Microsoft Threat Intelligence blog post.

Attackers are combining their use with social engineering in campaigns that target trusted parties in a business user's network, and base lures on familiar conversation topics. Threat actors are thus successfully phishing credentials for business accounts, which they then use to conduct further malicious activity, such as financial fraud, data exfiltration, and lateral movement to endpoints.

Trusted cloud services are an increasingly weak enterprise security link. Indeed, various researchers have discovered attackers — including advanced persistent threat (APT) groups — using legitimate file-sharing services to deliver remote access Trojans (RATs) and spyware, among other malicious activity.

**A Typical BEC Attack Scenario**

According to Microsoft, A common attack scenario begins with the compromise of a user within an enterprise. The threat actor then uses that victim's credentials to host a file on that organization's file-hosting service and share it with the real target: those within an external organization that have trusted ties to the victim.

Attackers are specifically using Dropbox, OneDrive, or SharePoint files with either restricted access or view-only restrictions to evade common detection systems and provide a launching pad for credential-harvesting activity. The former "requires the recipient to be signed in to the file-sharing service … or to re-authenticate by entering their email address along with a one-time password (OTP) received through a notification service," establishing a trust relationship with the content. The latter can bypass analysis by email detonation systems, by "disabling the ability to download and consequently, the detection of embedded URLs within the files," according to Microsoft. "These techniques make detonation and analysis of the sample with the malicious link almost impossible since they are restricted."

To further ensure this bypass, attackers also use other techniques, including only allowing the intended recipient to view the file, or making the file accessible only for a limited time.

"This misuse of legitimate file-hosting services is particularly effective because recipients are more likely to trust emails from known vendors," according to Microsoft. Indeed, users from trusted vendors are added to allow lists through policies set by the organization on collaboration products used with the service, such as Exchange Online, so emails that are linked to phishing attacks pass through undetected.

After the files are shared on the hosting service, the targeted business user receives an automated email notification with a link to access the file securely. This is a legitimate notification about activity on the file-sharing service, so the email bypasses any protections that might have blocked a suspicious message.

**Adversary-in-the-Middle; Leveraging Familiarity**

When the targeted user accesses the shared file, he or she is prompted to verify identity by providing their email address, after which the address \[email protected\]\[.\]com sends a one-time password that the user can input to view the document.

That document often masquerades as a preview with another link purporting to allow the user to "view the message," according to Microsoft. However, it actually redirects the user to an adversary-in-the-middle (AiTM) phishing page that prompts the user is prompted to provide the password and complete the multifactor authentication (MFA) challenge.

"The compromised token can then be leveraged by the threat actor to perform the second stage BEC attack and continue the campaign," according to Microsoft.

Hosted files typically use lures to subject matter that would be a familiar topic or use familiar context based on an existing conversation held between employees of the organizations that the threat actor would be able to access thanks to the prior compromise of the anchor victim. For example, if two organizations have prior interactions related to an audit, the malicious shared files could be named "Audit Report 2024," according to Microsoft.

Attackers also leverage the oft-used psychological tactic of urgency to lure users into opening malicious files, using file names such as "Urgent:Attention Required" and "Compromised Password Reset" to get people to take the bait.

**Detecting Suspicious File-Sharing**

With these highly sophisticated BEC campaigns that neither users nor traditional email security systems detect on the rise, Microsoft recommends that enterprises use extended detection and response (XDR) systems to query for suspicious activity related to BEC campaigns that use legitimate file-sharing services.

Such queries could include identifying files with similar-sounding or the same file names that have been shared with various users. "Since these are observed as campaigns, validating that the same file has been shared with multiple users in the organization can support the detection," according to Microsoft

Defenders also can use identity-focused queries related to sign-ins from VPS or VPN providers, or successful sign-ins from a non-compliant device, "to detect and investigate anomalous sign-in events that may be indicative of a compromised user identity being accessed by a threat actor," according to the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Microsoft: Creative Abuse of Cloud Files Bolsters BEC Attacks

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.
Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based

Microsoft has released security updates to fix a total of 118 vulnerabilities across its software portfolio, two of which have come under active exploitation in the wild.

Of the 118 flaws, three are rated Critical, 113 are rated Important, and two are rated Moderate in severity. The Patch Tuesday update doesn't include the 25 additional flaws that the tech giant addressed in its Chromium-based Edge browser over the past month.

Five of the vulnerabilities are listed as publicly known at the time of release, with two of them coming under active exploitation as a zero-day -

*   **CVE-2024-43572** (CVSS score: 7.8) - Microsoft Management Console Remote Code Execution Vulnerability (Exploitation detected)
*   **CVE-2024-43573** (CVSS score: 6.5) - Windows MSHTML Platform Spoofing Vulnerability (Exploitation Detected)
*   **CVE-2024-43583** (CVSS score: 7.8) - Winlogon Elevation of Privilege Vulnerability
*   **CVE-2024-20659** (CVSS score: 7.1) - Windows Hyper-V Security Feature Bypass Vulnerability
*   **CVE-2024-6197** (CVSS score: 8.8) - Open Source Curl Remote Code Execution Vulnerability (non-Microsoft CVE)

It's worth noting that CVE-2024-43573 is similar to CVE-2024-38112 and CVE-2024-43461, two other MSHTML spoofing flaws that have been exploited prior to July 2024 by the Void Banshee threat actor to deliver the Atlantida Stealer malware.

Microsoft makes no mention of how the two vulnerabilities are exploited in the wild, and by whom, or how widespread they are. It credited researchers Andres and Shady for reporting CVE-2024-43572, but no acknowledgment has been given for CVE-2024-43573, raising the possibility that it could be a case of patch bypass.

"Since the discovery of CVE-2024-43572, Microsoft now prevents untrusted MSC files from being opened on a system," Satnam Narang, senior staff research engineer at Tenable, said in a statement shared with The Hacker News.

The active exploitation of CVE-2024-43572 and CVE-2024-43573 has also been noted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the fixes by October 29, 2024.

Among all the flaws disclosed by Redmond on Tuesday, the most severe concerns a remote execution flaw in Microsoft Configuration Manager (CVE-2024-43468, CVSS score: 9.8) that could allow unauthenticated actors to run arbitrary commands.

"An unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the target environment which are processed in an unsafe manner enabling the attacker to execute commands on the server and/or underlying database," it said.

Two other Critical-rated severity flaws also relate to remote code execution in Visual Studio Code extension for Arduino (CVE-2024-43488, CVSS score: 8.8) and Remote Desktop Protocol (RDP) Server (CVE-2024-43582, CVSS score: 8.1).

"Exploitation requires an attacker to send deliberately-malformed packets to a Windows RPC host, and leads to code execution in the context of the RPC service, although what this means in practice may depend on factors including RPC Interface Restriction configuration on the target asset," Adam Barnett, lead software engineer at Rapid7, told about CVE-2024-43582.

"One silver lining: attack complexity is high, since the attacker must win a race condition to access memory improperly."

**Software Patches from Other Vendors**

Outside of Microsoft, security updates have also been released by other vendors over the past few weeks to rectify several vulnerabilities, including —

*   Adobe
*   Amazon Web Services
*   Apache Avro
*   Apple
*   AutomationDirect
*   Bosch
*   Broadcom (including VMware)
*   Cisco (including Splunk)
*   Citrix
*   CODESYS
*   Dell
*   Draytek
*   Drupal
*   F5
*   Fortinet
*   GitLab
*   Google Android
*   Google Chrome
*   Google Cloud
*   Hitachi Energy
*   HP
*   HP Enterprise (including Aruba Networks)
*   IBM
*   Intel
*   Ivanti
*   Jenkins
*   Juniper Networks
*   Lenovo
*   Linux distributions Amazon Linux, Debian, Oracle Linux, Red Hat, Rocky Linux, SUSE, and Ubuntu
*   MediaTek
*   Mitsubishi Electric
*   MongoDB
*   Mozilla Firefox, Firefox ESR, and Thunderbird
*   NVIDIA
*   Okta
*   Palo Alto Networks
*   Progress Software
*   QNAP
*   Qualcomm
*   Rockwell Automation
*   Salesforce Tableau
*   Samsung
*   SAP
*   Schneider Electric
*   Siemens
*   Sophos
*   Synology
*   Trend Micro
*   Veritas
*   Zoom, and
*   Zyxel

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Issues Security Update Fixing 118 Flaws, Two Actively Exploited in the Wild

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.

Tuesday, October 8, 2024 15:04

The largest Microsoft Patch Tuesday since July includes two vulnerabilities that have been exploited in the wild and three other critical issues across the company’s range of hardware and software offerings.  

October’s monthly security update from Microsoft includes fixes for 117 CVEs, the most in a month since July’s updates covered 142 vulnerabilities.   

The two vulnerabilities that Microsoft reports have been actively exploited in the wild and are publicly known are both rated as only being of “moderate” severity.  

CVE-2024-43572 is a remote code execution vulnerability in the Microsoft Management Console that could allow an attacker to execute arbitrary code on the targeted machine. Microsoft’s security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect users against adversaries trying to exploit this vulnerability.  

The security update will prevent untrusted Microsoft Saved Console (MSC) files from being opened to protect customers against the risks associated with this vulnerability. 

The other vulnerability that was exploited in the wild in this week’s security update is CVE-2024-43573, a platform spoofing vulnerability in Windows MSHTML. Platform spoofing vulnerabilities usually allow an adversary to gain unauthorized access to an environment by disguising themselves as a trusted source.  

CVE-2024-43583, an elevation of privilege vulnerability in Winlogon, has also been publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. This vulnerability could allow an attacker to obtain SYSTEM-level privilege. In addition to applying the patch, Microsoft also recommends users enable a Microsoft first-party Input Method Editor (IME) on their devices to prevent adversaries from being able to exploit third-party IMEs during the sign-in process. 

October’s Patch Tuesday also includes three critical vulnerabilities that could all lead to remote code execution. 

CVE-2024-43468 is the most serious of this bunch, with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability in Microsoft Configuration Manager to execute commands on the targeted server or underlying database. 

Another remote code execution vulnerability, CVE-2024-43488, exists in the Visual Studio Code extension for Arduino, an open-source platform for building and managing single-board microcontrollers and microcontroller kits. A missing authentication protocol could allow an adversary to execute remote code over the network.  

Microsoft stated that the company has already mitigated this vulnerability and users do not need to take any additional steps. This extension has also been deprecated and can no longer be downloaded from the internet. 

Lastly, CVE-2024-43582 exists in the Windows Remote Desktop Protocol server and could allow an attacker to execute code on the server side with the same permissions as the RPC service. An adversary could exploit this vulnerability by sending malformed packets to an RPC host. However, exploitation also requires that the adversary win a race condition first.  

Cisco Talos would also like to highlight several vulnerabilities that are only rated as “important,” but Microsoft lists as “more likely” to be exploited: 

*   CVE-2024-43502: Elevation of privilege vulnerability in Windows Kernel 
*   CVE-2024-43509 and CVE-2024-43556: Elevation of privilege vulnerabilities in Windows Graphics Component     
*   CVE-2024-43560: Elevation of privilege vulnerability in Windows Storage Port 
*   CVE-2024-43581 and CVE-2024-43615: Remote code execution vulnerability in Microsoft OpenSSH for Windows  
*   CVE-2024-43609: Spoofing vulnerability in Microsoft Office 

A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.  

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 64083 - 64086, 64089, 64090, 64111 and 64112. There are also Snort 3 rules 301034 - 301036 and 301041.

Largest Patch Tuesday since July includes two exploited in the wild, three critical vulnerabilities

San Francisco, CA, 8th October 2024, CyberNewsWire

**San Francisco, CA, October 8th, 2024, CyberNewsWire**

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**Badge Inc****.**, the award-winning privacy company enabling Identity without Secrets™, today announced a partnership with CyberArk and the public release of its integration in the CyberArk Marketplace.

According to the CyberArk website: The Badge CyberArk Identity integration allows specified users to authenticate into CyberArk Identity and its downstream apps and services, using Badge. This enables user-centric privacy, allowing users to issue and revoke digital identity and keys on-demand using biometrics and/or other factors.

The blog post mentions that privileged users hold highly sensitive access credentials and face an ever-increasing threat surface. This has made these users and their credentials prime targets for cyber-attacks. By leveraging Badge’s technology to eliminate the storage of user credentials, organizations benefit unprecedented security, while maintaining a great user experience.

> Archit Lohokare, CyberArk’s GM for Workforce Solutions, “CyberArk is excited to partner with Badge and offer this new integration. It is an important step forward in our mission to deliver comprehensive identity security solutions across all identities and all environments. Badge’s expertise in eliminating stored secrets and removing friction in difficult use cases complements our identity security platform.”

**Integration to CyberArk Marketplace**

Badge and CyberArk are launching a new integration that: 

1.  Enables unprecedented multi-factor authentication experience across all channels, including new and shared devices,
2.  Offers next-generation privacy technology and a more streamlined user experience to customers
3.  Brings phishing-resistant authentication to account recovery workflows.

> “We’re proud to partner with CyberArk. This integration represents a pivotal step forward in the quest to defeat cyber threats targeting privileged accounts. Stored privileged credentials are a high-target vulnerability, and eliminating this weak point is a big step forward. It also underscores the importance of innovative cybersecurity solutions and demonstrates how advancements in technology can be leveraged to enhance security measures across the board,” said Dr. Tina P. Srivastava, Badge Co-founder. “By addressing the vulnerabilities associated with traditional authentication methods like passwords, organizations can protect their most critical assets more effectively, ensuring that their ‘keys to the kingdom’ remain out of reach from cyber adversaries.”

As cyber threats evolve, so are the approaches to cybersecurity. Together, Badge and CyberArk are helping businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**About CyberArk** 

CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

**About Badge**

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. To learn more: **www.badgeinc.com****.**

**Contact**

**Media Contact**  
**John O’Brien**  
**SBS Comms**  
**\[email protected\]**

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

The largest publicly traded water utility in the US was forced to disconnect some of its online systems, and its website and telecommunications system remained unavailable as of Tuesday morning, Oct. 8.

Source: Juri Samsonov via Alamy Stock Photo

The website of the largest publicly traded water utility in the US remained offline this morning after a cyberattack Oct. 3 forced the company to shut down some of its connected systems and services.

American Water is a significant supplier of water in the US, serving more than 14 million customers across 14 states and 18 military installations. The company employees about 6,500 people across its facilities. It discovered "unauthorized activity within its computer networks and systems" on Oct. 3 that turned out to be the result of a cybersecurity incident, the company reported in a Form 8-K filing with the US Securities and Exchange Commission.

The company activated incident-response protocols and enlisted third-party cybersecurity experts to help it contain and mitigate the attack, which included disconnecting and deactivating "certain" systems to "protect" systems and data, it reported.

**Online, Telecom Systems Affected**

The outages appear to have included the company's online customer-facing sites, as the American Water website as well as its "MyWater" customer portal served up white pages with "Forbidden 403" text today.

An attendant who answered a Dark Reading phone call to American Water's headquarters in Camden, N.J., early on Oct. 8 said she was unable to connect to a member of the media relations team, nor leave a message for anyone because the telecommunications system also "is down."

At this time, it seems that none of the company's water or wastewater facilities or operations have been negatively affected by the incident, although it's too soon to predict the full impact and material effect it will have on the company, according to the filing. An investigation alongside law enforcement officials remains ongoing as to the exact cause and extent of the damage.

**Utilities Under Attack**

Critical infrastructure such as the public water supply and electricity grid both in the US and overseas face increasing risk of attack from threat actors, incidents that have the potential to not only affect network infrastructure or financial coffers, but also cause supply shortages or even physical harm.

The now-infamous May 2021 ransomware attack on Colonial Pipeline is a prime example of the former, while a February 2021 attack on a Florida water-treatment facility, which potentially could have poisoned the water supply if an employee hadn't acted quickly, demonstrates the latter.

“We often overlook how vulnerable our everyday essentials are to digital threats," observes Akhil Mittal, senior manager of cybersecurity strategy and solutions at Black Duck (formerly known as Synopsys Software Integrity Group). "We’re not just talking about data breaches — this is about the safety of millions of people who rely on clean water every day. A cyber incident like this could disrupt water services, delay safety checks, and potentially risk public health."

**Regulatory Effort Stalled**

Unsurprisingly concerned, US federal authorities have put a concerted effort into to doing more to ensure cybersecurity measures at water utilities are a mandatory effort, as nearly 70% of the United States' community drinking water systems fails to comply with the Safe Drinking Water Act, according to the Environmental Protection Agency (EPA).

In fact, the EPA planned to ramp up efforts to enforce the act and other regulatory efforts to ensure better cybersecurity safety across water utilities in May. However, the agency had to roll back these actions last year after it faced litigation from Republican lawmakers and industry groups. Other agencies like CISA have advanced cybersecurity guides for the water sector in the wake of that failed effort.

Prevention of cybersecurity attacks through infrastructure security is indeed the key to ensuring critical services such as the ones utilities offer remain safe, as "protecting these systems is no longer optional now," but "critical to keep things running smoothly and safely," Mittal says.

As this is too late in the case of American Water, he adds, the key to recovering quickly from the incident now will be in taking quick actions to contain the attack, getting all systems back online in a reasonable time frame, and being transparent with the public about what happened.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#cisco