A Prototype Pollution issue in cdr0 sg 1.0.10 allows an attacker to execute arbitrary code.

**@cdr0/sg Prototype Pollution**

Moderate severity GitHub Reviewed Published Jun 17, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-fg52-5jjj-28h7: @cdr0/sg Prototype Pollution

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes.
Cybersecurity company Sygnia, which responded to

Cyber Espionage / Vulnerability

A suspected China-nexus cyber espionage actor has been attributed as behind a prolonged attack against an unnamed organization located in East Asia for a period of about three years, with the adversary establishing persistence using legacy F5 BIG-IP appliances and using it as an internal command-and-control (C&C) for defense evasion purposes.

Cybersecurity company Sygnia, which responded to the intrusion in late 2023, is tracking the activity under the name **Velvet Ant**, characterizing it as possessing robust capabilities to swiftly pivot and adapt their tactics to counter-remediation efforts.

"Velvet Ant is a sophisticated and innovative threat actor," the Israeli company said in a technical report shared with The Hacker News. "They collected sensitive information over a long period of time, focusing on customer and financial information."

The attack chains involve the use of a known backdoor called PlugX (aka Korplug), a modular remote access trojan (RAT) that has been widely put to use by espionage operators with ties to Chinese interests. PlugX is known to rely heavily on a technique called DLL side-loading to infiltrate devices.

Sygnia said it also identified attempts on the part of the threat actor to disable endpoint security software prior to installing PlugX, with open-source tools like Impacket used for lateral movement.

Also identified as part of the incident response and remediation efforts was a reworked variant of PlugX that used an internal file server for C&C, thereby allowing the malicious traffic to blend in with legitimate network activity.

"This meant that the threat actor deployed two versions of PlugX within the network," the company noted. "The first version, configured with an external C&C server, was installed on endpoints with direct internet access, facilitating the exfiltration of sensitive information. The second version did not have a C&C configuration, and was deployed exclusively on legacy servers."

In particular, the second variant was found to have abused out-of-date F5 BIG-IP devices as a covert channel to communicate with the external C&C server by issuing commands over a reverse SSH tunnel, once again highlighting how compromising edge appliances can allow threat actors to gain persistence for extended periods of time.

"There is just one thing that is required for a mass exploitation incident to occur, and that is a vulnerable edge service, meaning a piece of software that is accessible from the internet," WithSecure said in a recent analysis.

"Devices such as these are often intended to make a network more secure, yet time and again vulnerabilities have been discovered in such devices and exploited by attackers, providing a perfect foothold in a target network."

Subsequent forensic analysis of the hacked F5 devices has also uncovered the presence of a tool named PMCD that polls the threat actor's C&C server every 60 minutes to look for commands to execute, as well as additional programs for capturing network packets and SOCKS tunneling utility dubbed EarthWorm that has used by actors like Gelsemium and Lucky Mouse.

The exact initial access vector – whether it's spear-phishing or exploitation of known security flaws in internet-exposed systems – used to breach the target environment is currently not known.

The development follows the emergence of new China-linked clusters tracked as Unfading Sea Haze, Operation Diplomatic Specter, and Operation Crimson Palace which have been observed targeting Asia with the goal of gathering sensitive information.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

China-Linked Hackers Infiltrate East Asian Firm for 3 Years Using F5 Devices

Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk.

Traditional application security practices are not effective in the modern DevOps world. When security scans are run only at the end of the software delivery lifecycle (either right before or after a service is deployed), the ensuing process of compiling and fixing vulnerabilities creates massive overhead for developers. The overhead that degrades velocity and puts production deadlines at risk.

Regulatory pressure to ensure the integrity of all software components is also ramping up dramatically. Applications are built with an increasing number of open source software (OSS) components and other 3rd party artifacts, each of which can introduce new vulnerabilities to the application. Attackers seek to exploit these components' vulnerabilities, which also puts the software's consumers at risk.

Software represents the largest under-addressed attack surface that organizations face. Some interesting statistics to digest:

*   More than 80% of software vulnerabilities are introduced through open source software (OSS) and 3rd party components
*   Digital supply chain attacks are becoming more aggressive, sophisticated, and diverse. By 2025, 45% of organizations will have experienced at least one. (Gartner)
*   Total cost of software supply chain cyber attacks to businesses will exceed $80.6 billion globally by 2026, up from $45.8 billion in 2023 (Juniper Research)

The current threat environment, coupled with the drive to deliver applications faster, compels organizations to integrate security throughout the software development lifecycle in ways that don't degrade developer productivity. This practice is formally known as DevSecOps.

Delivering secure software– the outcome of an effective DevSecOps program– is a huge undertaking. It requires significant cultural changes across multiple functions to drive shared responsibility, collaboration, transparency, and effective communication. It also requires the right set of tools, technologies, and use of automation and AI to secure applications at the speed of development. Implemented correctly, DevSecOps becomes a major success factor in delivering secure software.

****So What is DevSecOps?****

DevSecOps, short for development, security, and operations, is an approach to software development that integrates security practices throughout the entire software development lifecycle. It emphasizes collaboration and communication between development teams, security teams, and operations teams to ensure that security is built into every stage of the software development process.

Within the context of software development pipelines, DevSecOps aims to "shift security left", which essentially means as early as possible in the development process. Quite frankly, it involves integrating security practices and tools into the development pipeline from the very beginning. By doing so, security becomes an integral part of the software development process rather than a late-stage add-on.

This approach makes it significantly easier for organizations to identify and resolve security vulnerabilities early on, and meet regulatory obligations. It's also important to note that DevSecOps is built upon a culture of collaboration and shared responsibility. It breaks down silos and encourages cross-functional teams to work together towards a common goal of building more secure applications at high velocity.

****Guiding Principles for Delivering Secure Software****

At a high level, building and running an effective DevSecOps program means that your organization is able to operate a secure delivery platform, test for software vulnerabilities, prioritize and remediate vulnerabilities, prevent the release of insecure code, and ensure the integrity of software and all of its artifacts. Below are detailed descriptions of the elements and required capabilities to achieve a successful DevSecOps practice.

**Establish a Collaborative Culture That Makes Security a Shared Responsibility**

The success of any DevSecOps practice is really in the hands of its stakeholders, so before setting out to acquire, configure and deploy new tools and technologies,

If your organization builds, sells, or consumes software (which today is every conceivable organization on the planet), then every single employee has an impact on the overall security posture– not just those with 'security' in their titles. At its core, DevSecOps is a culture of shared responsibility, and operating with a common security-oriented mindset determines how well DevSecOps processes fit into place and can drive better decision-making when choosing DevOps platforms, tooling, and individual security solutions.

Mindsets don't change overnight, but alignment and a sense of security accountability can be achieved through the following:

*   Commitment to regular internal security training– tailored to DevSecOps– that includes developers, DevOps engineers, and security engineers. Skills gaps and needs shouldn't be underestimated.
*   Developer adoption of secure coding methodologies and resources
*   Security engineering contributes to application and environment architecture, design reviews. It's always easier to identify and fix security issues early in the software development lifecycle.

**Break Down Functional Silos and Collaborate Continuously**

Since DevSecOps is a result of the confluence of software development, IT operations, and security, breaking down silos and actively collaborating on a continuous basis is critical for success. Typically, DevOps-centric organizations operating without any formal DevSecOps framework see security entering the picture like an unwelcome party crasher.

Process changes or tooling that is suddenly imposed (as opposed to collaboratively chosen and instantiated) invariably results in development pipeline friction and unnecessary toil for developers. A common scenario involves security mandating additional application security checks without consideration for their placement within the pipeline, or for how much workload is required to process scanner output and remediate vulnerabilities, which inevitably falls to developers.

*   Driving collaboration and operating as a cohesive DevSecOps team involves:
*   Defining and agreeing upon a set of measurable security objectives, such as mean time to remediation and % reduction in CVE alert noise.
*   Involvement from software developers and DevOps teams throughout the evaluation and procurement processes for new security tools
*   Ensuring no DevSecOps process has a single functional gatekeeper
*   Iteratively optimizing tooling choices and security practices for developer productivity and velocity

**Shift Security Left**

Implementing shift-left security is a crucial step in securing application code as it moves through development pipelines. This approach involves integrating security practices early in the software development lifecycle, starting from the initial stages of coding and extending throughout the entire development and deployment process. By shifting security testing further left, organizations can identify and address vulnerabilities at an early stage, reducing the risk of security breaches and ensuring the delivery of secure applications.

Shifting security left successfully starts with the integration and orchestration of different types of security scanners throughout development pipelines. There are several categories of application security tests that DevSecOps teams need to adopt and employ in order to catch and remediate vulnerabilities throughout the software development lifecycle. The techniques employed by each type of security scanner are complimentary. Combined, they are very effective in surfacing known security issues before an application hits production.

****How to Get Started****

If you'd like to learn the fundamentals of secure software delivery, who should be involved, and ultimately how to achieve a highly-effective DevSecOps practice, you should download the _Definitive Guide to Secure Software Delivery_. We'll provide an overview of what's required from a tools, technologies, and process perspective to deliver software that is more secure, faster.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

What is DevSecOps and Why is it Essential for Secure Software Delivery?

A ShinyHunters hacker tells WIRED that they gained access to Ticketmaster’s Snowflake cloud account—and others—by first breaching a third-party contractor.

Hackers who stole terabytes of data from Ticketmaster and other customers of the cloud storage firm Snowflake claim they obtained access to some of the Snowflake accounts by first breaching a Belarusian-founded contractor that works with those customers.

About 165 customer accounts were potentially affected in the recent hacking campaign targeting Snowflake’s customers, but only a few of these have been identified so far. In addition to Ticketmaster, the banking firm Santander has also acknowledged that their data was stolen but declined to identify the account from which it was stolen. Wired, however, has independently confirmed that it was a Snowflake account; the stolen data included bank account details for 30 million customers, including 6 million account numbers and balances, 28 million credit card numbers, and human resources information about staff, according to a post published by the hackers. Lending Tree and Advance Auto Parts have also said they might be victims as well.

Snowflake has not revealed details about how the hackers accessed the accounts, saying only that the intruders did not directly breach Snowflake’s network. This week, Google-owned security firm Mandiant, one of the companies engaged by Snowflake to investigate the breaches, revealed in a blog post that in some cases the hackers first obtained access through third-party contractors, without identifying the contractors or stating how this access aided the hackers in breaching the Snowflake accounts.

But according to one of the hackers who spoke with WIRED through a text chat, one of those firms was EPAM Systems, a publicly traded software engineering and digital services firm, founded by Belarus-born Arkadiy Dobkin, with current revenue of around $4.8 billion. The hacker says his group, which calls themselves ShinyHunters, used data found on an EPAM employee system to gain access to some of the Snowflake accounts.

EPAM told WIRED that it does not believe that it played a role in the breaches and suggested the hacker had fabricated the tale. ShinyHunters has been around since 2020 and has been responsible for numerous breaches since then that involve stealing large troves of data and leaking or selling it online.

Snowflake is a large data storage and analysis firm that provides tools for companies to derive intelligence and insight from customer data. EPAM develops software and provides various managed services for customers worldwide, primarily in North America, Europe, Asia, and Australia, according to its web site, with about 60 percent of its revenue coming from customers in North America. Among the services EPAM provides customers is assistance with using and managing their Snowflake accounts to store and analyze their data. EPAM claims it has some 300 workers who are experienced in using Snowflake’s data analytics tools and services, and announced in 2022 that it had attained “Elite Tier Partner” status with Snowflake to leverage the latter’s analytics platform for its customers.

EPAM’s founder emigrated from Belarus to the US in the ’90s before founding his company in 1993 from his New Jersey apartment. Nearly two-thirds of EPAM’s 55,000 employees resided in Ukraine, Belarus, and Russia until Russia invaded Ukraine, at which point the company says it closed its Russia operations and moved some of its Ukrainian workers to locations outside of that country.

The hacker who spoke with WIRED says that a computer belonging to one of EPAM’s employees in Ukraine was infected with info-stealer malware through a spear-phishing attack. It’s unclear if someone from ShinyHunters conducted this initial breach or just purchased access to the infected system from someone else who hacked the worker and installed the infostealer. The hacker says that once on the EPAM worker’s system, they installed a remote-access Trojan, giving them complete access to everything on the worker’s computer.

Using this access, they say, they found unencrypted usernames and passwords that the worker used to access and manage EPAM customers’ Snowflake accounts, including an account for Ticketmaster. The hacker says the credentials were stored on the worker’s machine in a project management tool called Jira. The hackers were able to use those credentials, they say, to access the Snowflake accounts because the Snowflake accounts didn’t require multifactor authentication (MFA) to access them. (MFA requires that users type in a one-time temporary code in addition to a username and password, making accounts that use MFA more secure.)

While EPAM denies it was involved in the breach, hackers did steal data from Snowflake accounts including Ticketmaster's, and have extorted the owners of the data by demanding hundreds of thousands, and in some cases more than a million, dollars to destroy the data or risk having the hackers sell it elsewhere.

The hacker who spoke with WIRED didn’t identify all of the victims breached through EPAM but did indicate that Ticketmaster was one of them. Ticketmaster did not respond to a request for comment from WIRED. But Ticketmaster’s parent company, Live Nation, has acknowledged that data was stolen from its Snowflake account in May without revealing how much data was stolen or how the hackers accessed the Snowflake account. In a post offering the data for sale, however, the hackers indicated that they had taken data on 560 million Ticketmaster consumers.

The hacker claims that in some cases they were able to directly access the Snowflake account of EPAM customers using the plaintext usernames and passwords they found on the EPAM worker’s computer. But in cases where Snowflake credentials weren’t stored on the worker’s system, the hacker claims they sifted through stockpiles of old credentials stolen in previous breaches by hackers using infostealer malware and found additional usernames and passwords for Snowflake accounts, including ones harvested from the machine of the same EPAM worker in Ukraine.

Credentials harvested by infostealers are often posted online or made available for sale on hacker forums. If victims don’t change their login credentials after a breach, or don’t know their data has been stolen, those credentials can remain active and available for years. It’s especially problematic if those credentials are used across multiple accounts; hackers can identify the user through the email address they use as a login credential, and if that person reuses the same password, hackers can simply try those credentials in multiple places.

The hackers in this case say they were able to use credentials stolen by an infostealer in 2020 to access Snowflake accounts.

WIRED wasn’t able to independently confirm that the hackers were inside the EPAM worker’s machine or used EPAM to gain access to Ticketmaster’s data and other Snowflake accounts, but the hacker provided WIRED with a file that appears to be a list of EPAM worker credentials lifted from the company’s Active Directory database after they gained access to the worker’s computer.

Furthermore, in the blog post written by Mandiant, which was published after the hacker told WIRED about his group’s use of data harvested by infostealers, the security firm revealed that the hackers who breached Snowflake accounts used old data siphoned by infostealers to access some of the accounts. Mandiant said that about 80 percent of the victims it identified in the Snowflake campaign were compromised using credentials that had previously been stolen and exposed by infostealers.

And an independent security researcher who has been helping to negotiate the ransom transactions between the ShinyHunter hackers and victims of the Snowflake campaign pointed WIRED to an online repository of data harvested by an infostealer that includes data siphoned from the computer of the EPAM worker in Ukraine that the hacker says was used to gain access to the Snowflake accounts. This stolen data includes the worker’s browser history, which reveals the worker’s complete name. It also includes an internal EPAM URL pointing to Ticketmaster’s Snowflake account, as well as a plaintext version of the username and password that the EPAM worker used to access the Ticketmaster Snowflake account.

“This means that \[an EPAM worker\] who had access to that Snowflake \[account\] had password-stealing malware on their computer, and their password was stolen and sold on the dark web,” says the researcher, who asked to be identified only as Reddington, an identity they use online to communicate with cybercriminals. “This means that anyone that knew the correct URL to \[Ticketmaster’s\] Snowflake could have simply looked up the password, logged in, and stolen the data.”

An EPAM spokesperson did not seem to be aware when contacted by WIRED early this week that its company allegedly played a role in breaches of Snowflake accounts. “We do not comment on situations to which we are not a part,” she wrote in an email, suggesting the company did not believe it played any role in the campaign. When WIRED provided the spokeswoman with details about how the hackers say they obtained access to the system of an EPAM worker in Ukraine, she replied, “Hackers frequently spread false information to advance their agendas. We maintain a policy of not engaging with misinformation and consistently uphold robust security measures to protect our operations and customers. We are continuing our exhaustive investigation and, at this time, see no evidence to suggest that we have been affected or involved in this matter.”

WIRED followed up by providing the name of the Ukrainian worker whose machine the hackers allegedly compromised, as well as the username and password the worker used for accessing Ticketmaster’s Snowflake account, but the spokesperson did not respond to any additional questions.

It’s possible the ShinyHunter hackers did not directly hack the EPAM worker, and simply gained access to the Snowflake accounts using usernames and passwords they obtained from old repositories of credentials stolen by info stealers. But, as Reddington points out, this means that anyone else can sift through those repositories for these and other credentials stolen from EPAM accounts. Reddington says they found data online that was used by nine different infostealers to harvest data from the machines of EPAM workers. This raises potential concerns about the security of data belonging to other EPAM customers.

EPAM has customers across various critical industries, including banks and other financial services, health care, broadcast networks, pharmaceutical, energy and other utilities, insurance, and software and hi-tech—the latter customers include Microsoft, Google, Adobe, and Amazon Web Services. It’s not clear, however, if any of these companies have Snowflake accounts to which EPAM workers have access. WIRED also wasn’t able to confirm whether Ticketmaster, Santander, Lending Tree, or Advance AutoParts are EPAM customers.

The Snowflake campaign also highlights the growing security risks from third-party companies in general and from infostealers. In its blog post this week, Mandiant suggested that multiple contractors were breached to gain access to Snowflake accounts, noting that contractors—often known as business process outsourcing (BPO) companies—are a potential gold mine for hackers, because compromising the machine of a contractor that has access to the accounts of multiple customers can give them direct access to many customer accounts.

“Contractors that customers engage to assist with their use of Snowflake may utilize personal and/or non-monitored laptops that exacerbate this initial entry vector,” wrote Mandiant in its blog post. “These devices, often used to access the systems of multiple organizations, present a significant risk. If compromised by infostealer malware, a single contractor's laptop can facilitate threat actor access across multiple organizations, often with IT and administrator-level privileges.”

The company also highlighted the growing risk from infostealers, noting that the majority of the credentials the hackers used in the Snowflake campaign came from repositories of data previously stolen by various infostealer campaigns, some of which dated as far back as 2020. “Mandiant identified hundreds of customer Snowflake credentials exposed via infostealers since 2020,” the company noted.

This, accompanied by the fact that the targeted Snowflake accounts didn’t use MFA to further protect them, made the breaches in this campaign possible, Mandiant notes.

Snowflake’s CISO, Brad Jones, acknowledged last week that the lack of multifactor authentication enabled the breaches. In a phone call this week, Jones told WIRED that Snowflake is working on giving its customers the ability to mandate that users of their accounts employ multifactor authentication going forward, “and then we’ll be looking in the future to \[make the\] default MFA,” he says.

_Update 6/17/2024, 5:45 pm EDT: The article was updated to clarify the details that Santander has publicly revealed about the hack._

Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake

A list of topics we covered in the week of June 10 to June 16 of 2024

June 14, 2024 - On Wednesday June 12, 2024, a well-known dark web data broker and cybercriminal acting under the name “Sp1d3r” offered a significant...

June 13, 2024 - Google revealed that a firmware vulnerability in its Pixel devices has been under limited active exploitation

June 12, 2024 - Adobe announced changes to its ToS which sparked backlash among users, so it posted an explainer to take away the major concerns

June 11, 2024 - Canada's and UK privacy authorities are going to investigate the data breach at 23andMe to assess what the company could have done better.

June 11, 2024 - Digital sharing is the norm in romantic relationships. But some access could leave partners vulnerable to inconvenience, spying, and abuse.

 A week in security (June 10 &#8211; June 16) 

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates.
"The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed **BadSpace** under the guise of fake browser updates.

"The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim's system," German cybersecurity company G DATA said in a report.

Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month.

It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before.

Should it be the user's first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request.

The response from the server subsequently overlays the contents of the web page with a phony Google Chrome update pop-up window to either directly drop the malware or a JavaScript downloader that, in turn, downloads and executes BadSpace.

An analysis of the C2 servers used in the campaign has uncovered connections to a known malware called SocGholish (aka FakeUpdates), a JavaScript-based downloader malware that's propagated via the same mechanism.

BadSpace, in addition to employing anti-sandbox checks and setting up persistence using scheduled tasks, is capable of harvesting system information and processing commands that allow it to take screenshots, execute instructions using cmd.exe, read and write files, and delete the scheduled task.

The disclosure comes as both eSentire and Sucuri have warned different campaigns leveraging bogus browser update lures in compromised sites to distribute information stealers and remote access trojans.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.
The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.
"Due to the nature of crack programs, information sharing amongst

Threat actors have been observed deploying a malware called NiceRAT to co-opt infected devices into a botnet.

The attacks, which target South Korean users, are designed to propagate the malware under the guise of cracked software, such as Microsoft Windows, or tools that purport to offer license verification for Microsoft Office.

"Due to the nature of crack programs, information sharing amongst ordinary users contributes to the malware's distribution independently from the initial distributor," the AhnLab Security Intelligence Center (ASEC) said.

"Because threat actors typically explain ways to remove anti-malware programs during the distribution phase, it is difficult to detect the distributed malware."

Alternate distribution vectors involve the use of a botnet comprising zombie computers that are infiltrated by a remote access trojan (RAT) known as NanoCore RAT, mirroring prior activity that leveraged the Nitol DDoS malware for propagating another malware dubbed Amadey Bot.

NiceRAT is an actively developed open-source RAT and stealer malware written in Python that uses a Discord Webhook for command-and-control (C2), allowing the threat actors to siphon sensitive information from the compromised host.

First released on April 17, 2024, the current version of the program is 1.1.0. It's also available as a premium version, according to its developer, suggesting that it's advertised under the malware-as-a-service (MaaS) model.

The development comes amid the return of a cryptocurrency mining botnet referred to as Bondnet, which has been detected using the high-performance miner bots as C2 servers since 2023 by configuring a reverse proxy using a modified version of a legitimate tool called Fast Reverse Proxy (FRP).

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

NiceRAT Malware Targets South Korean Users via Cracked Software

In SonarQube before 10.4 and 9.9.4 LTA, encrypted values generated using the Settings Encryption feature are potentially exposed in cleartext as part of the URL parameters in the logs (such as SonarQube Access Logs, Proxy Logs, etc).

**SonarQube logs sensitive information**

Moderate severity GitHub Reviewed Published Jun 16, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-hw2c-8xgw-mf57: SonarQube logs sensitive information

langchain_experimental (aka LangChain Experimental) before 0.0.61 for LangChain provides Python REPL access without an opt-in step. NOTE; this issue exists because of an incomplete fix for CVE-2024-27444.

**langchain\_experimental Code Execution via Python REPL access**

Moderate severity GitHub Reviewed Published Jun 16, 2024 to the GitHub Advisory Database • Updated Jun 17, 2024

GHSA-wmvm-9vqv-5qpp: langchain_experimental Code Execution via Python REPL access

In this common email scam, a criminal pretending to be your boss or coworker emails you asking for a favor involving money. Here's what do to when a bad actor lands in your inbox.

Don't close this tab! I know there are few combinations of words less interesting than business, email, and compromise. I may as well have written an article about fiber, socks, and responsibility. But this isn't a boring article: it's an article about email con artists who, according to the FBI, are pulling in $26 billion a year by scamming people.

So yeah: business email compromise scams are a big deal. The con artists behind this criminal enterprise will cold email you, pretending to be someone you work with, in order to gain access to money or information. You might get an email that appears to be from your company's CEO asking you to quickly do something like buy gift cards, or you might get an email that looks like it's from an employee at your company asking you to change their direct deposit information. The scam itself can take a lot of forms, but the end goal is to somehow siphon money away from you or the business you work for.

It's worth it for anyone with a desk job to take a few moments to learn how to spot these emails. I talked with a few experts, and they passed along some helpful advice.

**Always Question Urgency**

When I asked two cybersecurity experts about BEC fraud, I expected them to lead with technical advice. Both started with emotions. This makes sense: while such fraud happens on computers, it is at its heart about psychological manipulation. So spotting an email compromise scam requires getting in touch with how you're feeling.

"If an email elicits an emotional response, take a step back and reread it when you're more calm," says Ronnie Tokazowski, a security researcher who has been working to educate people about email scams for over a decade. Tokazowski emphasizes how important creating a false sense of urgency is to such scams. The stress the scam induces is what keeps you from questioning the premise. "People who get pulled into these types of scams … their emotions get very deregulated," he says. That makes you less capable of thinking critically, which is a key part of how such scams work.

Selena Larson, a threat researcher at cybersecurity firm Proofpoint, went a step further. "I don't know if you can print this, but honestly: just breathe," she says. "Slow down, take a deep breath. That actually helps you think more clearly and rationally. Walk away from your computer or your phone and think critically. Would this be an email that someone would send me? Is this is a logical thing that I'm being asked to do?"

You should be particularly skeptical if the person sending the email asks you to keep something quiet.

"Scammers do things like isolate you from your peers," says Larson. "They come at you from a position of authority and say things like, 'Please keep this confidential and only between us.' This type of social engineering makes it so people feel like they have to take an action with some kind of urgency, and that you can't share it with anybody."

So this is the first step: take control of your emotions. Yes, it can be difficult if you work in a demanding field. But it's your best first defense, and your employer will thank you for it (or, at least, they should).

**Always Confirm Through a Second Channel**

Now that you're skeptically questioning the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be from. The best way to do this is to ask—just be careful.

"If you received an email like this, it's important to pick up the phone and call the number you know to be legitimate," says Larson, adding a caveat. "Do not rely on a phone number in the email itself—it will be owned by the threat actor."

This is a crucial point: any contact information in the email itself is likely compromised, and sometimes cleverly so. Use the phone number you've already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email looks correct, because some scammers will go through the trouble of getting a phone number that's similar to that of the person they're impersonating, all on the hopes that you'll call that number instead of the real one.

"I've seen phone numbers off two digits from the actual phone number," says Tokazowski.

Call the person who supposedly emailed you—using a number you are 100 percent sure is real—and confirm the request is authentic. You could also use some other secure communication channel like Slack or Microsoft Teams, or, if they're in the office, just ask them face to face. The point is to confirm any urgent request somewhere outside of the initial email. And even if the person is your boss or some other bigwig, do not worry about wasting their time.

"The person that is being impersonated would so much rather have someone take the time to confirm than to lose thousands or a million dollars in a malicious transaction," says Larson.

**Check the Email Address**

Getting in touch with the supposed sender isn't always an option. If not, there are a few tricks you can use to spot whether an email is real or fake. The first: check the email address and make sure it's from company domain.

"Always check the domains that you're receiving emails from," says Larson. Sometimes this will be obvious; your CEO likely isn't emailing you from a Gmail account, for example. Sometimes it will be more subtle—fraudsters have been known to purchase domains that look similar to that of the company they're attempting to fraud, all in the hopes of appearing legitimate.

It's also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they'll use the actual domain of the company to make it look legitimate, but that won't match the email address,” says Larson. Just keep in mind that the difference might be subtle. “Lookalike domains are very common: someone will do a slight variation, like an ‘l’ instead of an ‘i’, to make it look legitimate.” One way to test that, if you're suspicious, is to copy and paste the domain half of the address into a browser. If you don't get a website, you're probably dealing with a fake.

Another trick scammers will use is email spoofing, which you can spot by clicking reply and checking the email address that shows up in the "To" field. If it's a different email address than the one the email looks like it arrived from, you're likely dealing with a fake request.

**Go Through the Proper Protocols**

Now this is boring, but the best defense against business email compromise scams might be old-fashioned bureaucracy. If there is a process in place for things that are the common target of scams—large purchases, for example, or updating financial information in a database—then your company is less likely to fall victim to such scams.

“Most of the time, from a process perspective, that request of purchasing something would need to go through human resources, procurement,” says Tokazowski. If you get a request like this over email asking you to bypass the usual processes, be skeptical. “There needs to be a paper trail. Someone saying ‘purchase this from your personal account’ is a process that just wouldn't happen.”

A healthy company probably shouldn't be using email as the workflow for important financial processes. If you want to change your direct deposit information, for example, it's terrible practice for the workflow.

**Leaders: Keep Communication Open**

I have one last piece of advice, and it's for leaders inside companies: don't act in such a way that people will mistake scammers for you. If you regularly email employees and ask for urgent favors while telling people to keep quiet about these requests and to not work through the official channels, you're increasing the odds that your company falls victim to such scams. On the other hand, if you create a company culture of transparency, you're making the company stronger and more resistant.

“An important step is to ensure that you're trying to foster a culture of open communication,” says Tokazowski. Many organizations are structured in a way that communication between various levels is minimized. In such organizations, Tokazowski says, “skip-level meetings” are helpful. This is a style of meeting where a senior manager meets with a middle manager's direct reports without the middle manager there—skipping a level in the hierarchy—to develop stronger paths of communication between all the levels.

Another thing leaders should keep in mind is how important it is to talk openly if your company falls victim to such a scam.

“The shame that people feel, regardless of the type of scam, feeling horrible, is part of how these scams keep working,” says Larson. “Talking about it openly helps the person, their peers, and their colleagues learn how to understand how to protect themselves.”

Tag

#git