Two heap-based buffer overflow vulnerabilities exist in the httpd manage_post functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.This integer overflow result is used as argument for the malloc function.

**SUMMARY**

Two heap-based buffer overflow vulnerabilities exist in the httpd manage\_post functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger these vulnerabilities.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. Many of those APIs, which expect to receive a POST request, use the manage_post function to manage the received POST data:

    void manage_post(undefined4 param_1,FILE **fd,int content_length)
    
    {
      [...]
      if (post == 1) {
        if (POST_DATA == (char *)0x0) {
          POST_DATA = (char *)malloc(content_length + 1U);                                                          [1]
        }
        else {
          POST_DATA = (char *)realloc(POST_DATA,content_length + 1U);                                               [2]
        }
        if ((POST_DATA != (char *)0x0) &&
           (data_end = wfread(POST_DATA,1,content_length,fd), [...])) {                                             [3]
          [...]
        }
      }
      [...]
    }
    

The first thing checked, after confirming that the request is actually a POST, is if the POST_DATA global variable has already been initialized. Based on the answer, a malloc or a realloc is called to accommodate the actual request’s Content-Length.

The Content-Length is parsed in the manage_request function:

    void manage_request(void)
    {
      [... receive and parse the request until the start of the headers ...]
      [... peforms some checks and parse on the received data ... ]
      
      while( true ) {
        [... tmp_buff is a buffer just after current_header buffer ...]
        read_len = wfgets(current_header,(int)tmp_buff - (int)current_header,(char *)CLIENT_REQUEST_FD);
        if (((is_equal == 0) || (is_equal = strcmp(current_header,"\n"), is_equal == 0)) ||
            (is_equal = strcmp(current_header,"\r\n"), is_equal == 0)) break;
        is_equal = strncasecmp(current_header,"Authorization:",0xe);
        if (is_equal == 0) {
          [...]
        }
        else {
          is_equal = strncasecmp(current_header,"Referer:",8);
          if (is_equal == 0) {
            [...]
          }
          else {
            is_equal = strncasecmp(current_header,"Host:",5);
            if (is_equal == 0) {
              [...]
            }
            else {
              is_equal = strncasecmp(current_header,"Content-Length:",0xf);                                         [4]
              if (is_equal == 0) {
                content_length_value_ptr = current_header + 0xf;
                [...]
                content_length_empty_space = strspn(content_length_value_ptr," \t");
                content_length = content_length_value_ptr + content_length_empty_space;
                CONTENT_LENGTH = strtoul(content_length,(char **)0x0,0);
        [...]
      while( true ) {                                                                                               [5]
        URL_path_pattern = (code *)API_entry_cursor->URL_path_pattern;
        [... find the correct API entry based on the URL path pattern ...]
      }
      [...]
      post = 0;
      is_equal = strcasecmp(request_method,"post");
      if (is_equal == 0) {
        post = 1;
      }
      if ((code *)API_entry_cursor->manage_request_data != (code *)0x0) {
        (*(code *)API_entry_cursor->manage_request_data)
                  (request_URL+1,CLIENT_REQUEST_FD,CONTENT_LENGTH,boundary);                                        [6]
      }
      [...]
    }
    

The function will eventually parse, at [4], the Content-Length. Then, at [5], based on the URL path, the correct API entry struct to use is located. At [6], the manage_request_data function of the located API entry, if not null, is called. The manage_request_data struct field, for several APIs, corresponds to the manage_post function.

**CVE-2023-35965 - malloc integer overflow**

Many API URL paths will eventually call the manage_post function. At [1] for the malloc function the requested size is content_length + 1. The + 1 is used to ensure there is enough space for the null terminator. Because the content_length value is never checked, it could correspond to the max unsigned integer, so, an integer overflow vulnerability exists at [1] that can lead to a heap buffer overflow at [3].

**CVE-2023-35966 - realloc integer overflow**

Many API URL paths will eventually call the manage_post function. At [2] for the realloc function the requested size is content_length + 1. The + 1 is used to ensure there is enough space for the null terminator. Because the content_length value is never checked, it could correspond to the max unsigned integer, so, an integer overflow vulnerability exists at [2] that can lead to a heap buffer overflow at [3].

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-35965: TALOS-2023-1787 || Cisco Talos Intelligence Group

A stack-based buffer overflow vulnerability exists in the libutils.so nvram_restore functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to a buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A stack-based buffer overflow vulnerability exists in the libutils.so nvram\_restore functionality of Yifan YF325 v1.0\_20221108. A specially crafted network request can lead to a buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Yifan YF325 v1.0\_20221108

**PRODUCT URLS**

YF325 - https://yifanwireless.com/entry-level-wifi-router/yf325-series-gprs/3g/4g-wifi-router-with-sim-card-slot.html

**CVSSv3 SCORE**

9.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-121 - Stack-based Buffer Overflow

**DETAILS**

The Yifan YF325 is an industrial cellular router. This device is designed for M2M and IOT applications, allowing remote management, offering several VPN services and many other features.

The YF325 router provides a series of APIs. The API that manages the nvram.cgi* endpoints uses the httpd’s parse_nvram_file function to manage the incoming data:

    void parse_nvram_file(undefined4 param_1,int fd,size_t content_length)
      {
        [...]
        do {
          if ((int)content_length < 1) break;
          read_size = 0x400;
          if (content_length + 1 < 0x401) {
            read_size = content_length + 1;
          }
          read_bytes = wfgets(temp_buf,read_size,fd);
          if (read_bytes == 0) {
            return;
          }
          current_len = strlen(temp_buf);
          content_length = content_length - current_len;
          is_equal = strncasecmp(temp_buf,"Content-Disposition:",0x14);
        } while ((is_equal != 0) || (pcVar3 = strstr(temp_buf,"name=\"file\""), pcVar3 == (char *)0x0));
        while (0 < (int)content_length) {
          read_bytes = wfgets(temp_buf,0x400,fd);
          if (read_bytes == 0) {
            return;
          }
          current_len = strlen(temp_buf);
          content_length = content_length - current_len;
          is_equal = strcmp(temp_buf,"\n");
          if ((is_equal == 0) || (is_equal = strcmp(temp_buf,"\r\n"), is_equal == 0)) break;
        }
        [...]
        restore_fd = fopen("/tmp/restore.bin","wb");
        [... read the request's uploaded file and write it into the "/tmp/restore.bin" file ...]
        res = nvram_restore("/tmp/restore.bin");
        [...]
        return;
      }   The `nvram_restore` function is defined in the `libutils.so` library:
      
    undefined4 nvram_restore(char *filepath)
    
    {
      [...]
      restore_fd = fopen(filepath,"rb");
      res = 0xffffffff;
      if (restore_fd != (FILE *)0x0) {
        [... calculate file_size ...]
        is_magic = strcmp(MAGIC,NVRAM_MAGIC);
        if (is_magic == 0) {
          nvram_clear();
          data_size = file_size + -0xc;
          elem_idx = 0;
          nvram_open();
          [... parse the number_of_elements ...]
          local_2c = &key_length;
          nvram_ver = (char *)0x0;
          while ((elem_idx < number_of_elements && (0 < data_size))) {                                              [1]
            key_length = 0;
            fread(&key_length,1,1,restore_fd);                                                                      [2]
            memset(nvram_key,0,0x80);
            fread(nvram_key,(size_t)key_length,1,restore_fd);                                                       [3]
            [...]
            fread(temp_byte,1,1,restore_fd);
            value_len = (uint)temp_byte[0];
            fread(temp_byte,1,1,restore_fd);
            value_len = value_len + (uint)temp_byte[0] * 0x100 & 0xffff;
            value_ptr = (char *)malloc(value_len + 1);                                                              [4]
            fread(value_ptr,value_len,1,restore_fd);                                                                [5]
            value_ptr[value_len] = '\0';
            data_size = data_size - 1 - key_length - 2 - value_len;
            is_nvram_ver = strcmp(nvram_key,"nvram_ver");
            [...]
            elem_idx = elem_idx + 1;
          }
          nvram_close();
          [...]
          nvram_commit();
          fclose(restore_fd);
          res = 0;
        }
        else {
          fclose(restore_fd);
          res = 0xfffffffe;
        }
      }
      return res;
    }
    

The nvram_restore function will open the file specified by the filepath argument, parse the nvram variables defined in the file and commit the new set of nvram variables. The nvram-uploaded file contains several entries, which are parsed in the loop at [1]. Each loop iteration parses one entry. Each entry has the following layout in the file:

    |  Key length | Key string (Key length bytes)  |  Value length |  Value string (Value length bytes) |
    

The entry’s key length is read at [2], this value is then used to read key length bytes into the nvram_key static buffer, at [3]. The read string is the nvram key. The nvram value buffer is dynamically allocated at [4] based on the nvram value’s length read, then at [5] value length bytes are read into the just-allocated buffer to read the nvram value.

Because the buffer used at [2] for the nvram key is a buffer of 128 bytes, but the length can have a value of up to 255, there is a stack-based buffer-overflow through the nvram key parsing. This function is reachable prior to authentication.

**TIMELINE**

2023-06-28 - Initial Vendor Contact  
2023-07-06 - Vendor Disclosure  
2023-10-11 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2023-34365: TALOS-2023-1763 || Cisco Talos Intelligence Group

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.

Wednesday, October 11, 2023 12:10

Cisco Talos recently disclosed 11 vulnerabilities, 10 of which are zero-days without a patch in an industrial cellular router. 

Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device.  

The one other security issue Talos has disclosed over the past two weeks is a use-after-free vulnerability in an open-source port of WebKit, a popular content rendering engine used in popular web browsers like Apple Safari. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Yifan YF325 **

_Discovered by Francesco Benvenuto._ 

The Yifan YF325 is a cellular terminal device that offers Wi-Fi and ethernet connectivity capabilities to a network.  

The company’s website says the YF325, “has been widely used on M2M fields, such as self-service terminal industry, intelligent transportation, smart grid, industrial automation, telemetry, finance, POS, water supply, environment protection, post, weather, and so on.” 

Talos recently discovered 10 vulnerabilities in this device an adversary could exploit to carry out a variety of malicious actions, including TALOS-2023-1767 (CVE-2023-32632), which could allow an attacker to execute arbitrary shell commands on the targeted device. 

TALOS-2023-1762 (CVE-2023-24479) is perhaps the most serious of the set of vulnerabilities with a CVSS severity score of 9.8 out of 10. An attacker could exploit this vulnerability to change the admin credentials of the device and obtain root access. TALOS-2023-1752 (CVE-2023-32645) is also an authentication bypass vulnerability, but in this case, an attacker could simply use leftover debug credentials to log in as an administrator. 

The remaining vulnerabilities Talos disclosed in this product this week are buffer overflow vulnerabilities all triggered by specially crafted network requests: 

*   TALOS-2023-1761 (CVE-2023-35055 and CVE-2023-35056) 
*   TALOS-2023-1763 (CVE-2023-34365) 
*   TALOS-2023-1764 (CVE-2023-34346) 
*   TALOS-2023-1765 (CVE-2023-31272) 
*   TALOS-2023-1766 (CVE-2023-34426) 
*   TALOS-2023-1787 (CVE-2023-35965 and CVE-2023-35966) 
*   TALOS-2023-1788 (CVE-2023-35967 and CVE-2023-35968) 

All these vulnerabilities also have a severity score of 9.8. 

Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. 

**Use-after-free vulnerability in WebKitGTK **

_Discovered by Marcin “Icewall” Noga._ 

Talos recently disclosed a use-after-free vulnerability in WebKitGTK’s MediaRecorder API. 

WebKitGTK is a full-featured, open-source port of the WebKit rendering engine. 

TALOS-2023-1831 (CVE-2023-39928) could lead to remote code execution, if the targeted user opens an attacker-controlled, malicious web page using an application that utilizes the affected version of WebKitGTK.

10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows

Categories: Threat Intelligence
In September, two high-profile casino breaches taught us about the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.



(Read more...)




The post Ransomware review: October 2023 appeared first on Malwarebytes Labs.

_This article is based on research by Marcelo Rivero, Malwarebytes' ransomware specialist, who monitors information published by ransomware gangs on their Dark Web sites. In this report, "known attacks" are those where the victim **did not** pay a ransom. This provides the best overall picture of ransomware activity, but the true number of attacks is far higher._

In September, we recorded a total of 427 ransomware victims. As usual, Lockbit (72) led the charts. New players we observed included LostTrust (53), ThreeAM (10), and CiphBit (8).

Last month, MGM Resorts and Caesar Entertainment made headlines after being attacked by an ALPHV affiliate known as Scattered Spider. Other significant attacks included Sony, targeted by RansomedVC, and Johnson Controls, targeted by Dark Angels.

The attacks on MGM Resorts and Caesar Entertainment—which collectively own most of the casino-hotel properties on the Vegas Strip—resulted in the former losing $100 million in earnings and the latter making a reported $15 million ransom payment to the attackers. In both cases, significant amounts of customer data were stolen.

In other news, both LockBit and the Akira ransomware gang, the latter of which has tallied 125 victims since we first began tracking them in April 2023, were confirmed last month to be exploiting a specific zero-day flaw (CVE-2023-20269) in Cisco VPN appliances. On a related note, the effect of CL0P's MOVEit zero-day campaign was further revealed last month when the National Student Clearinghouse and BORN Ontario Child Registry disclosed data breaches attributed to the group.

Known ransomware attacks by gang, September 2023

Known ransomware attacks by country, September 2023

Known ransomware attacks by industry sector, September 2023

Last month’s two high-profile casino breaches were an interesting case study in the nuances of the RaaS affiliate landscape, the asymmetric dangers of phishing, and of two starkly different approaches to ransomware negotiation.

Primarily hailing from the US and the UK, and founded in May 2022, Scattered Spider launched two casino attacks that have given the group attention on a scale rarely seen with RaaS affiliates—whose attacks are normally grouped under whichever RaaS gang supplied them with the ransomware (in this case, ALPHV).

One possible explanation for Scattered Spider’s unusual spotlight resides in the group's level of sophistication. RaaS, by its very nature, has a low barrier to entry, meaning many affiliates are relatively unsophisticated or possess only moderate technical skills. Scattered Spider, on the contrary, highlights the peril posed when ready-made RaaS software merges with seasoned experience: In both of their casino breaches, the group employed advanced tactics, techniques, and procedures (TTPs), including in-depth reconnaissance, social engineering, and advanced lateral movement techniques. 

Scattered Spider typically kick off their attacks by manipulating employees into granting access, and their breaches of MGM Resorts and Caesar Entertainment began no differently. For the MGM breach, Scattered Spider used LinkedIn to pinpoint an MGM Resorts employee, subsequently impersonating them and contacting the company’s help desk requesting account access. Alarmingly, this ploy unveiled a gaping security flaw at MGM—the absence of a stringent user verification protocol at the service desk. After gaining an initial foothold, they escalated their access to administrative rights and subsequently launched a ransomware attack.

Or, as vx-underground so poetically put it: “A company valued at $33,900,000,000 was defeated by a 10-minute conversation.”

Less specifics are known about the exact social engineering scheme used in the Caesar Entertainment breach, but judging by the company's SEC filing, it’s safe to say Scattered Spider used a similar help desk style scam. Both breaches remind us that, whether ransomware is deployed or not, the human element remains one of the most vulnerable spots in an organization’s defenses.

Additionally, the aftermath of these attacks highlights the absence of a one-size-fits-all solution when it comes to paying attackers ransom. According to the Wall Street Journal, MGM Resorts refused to pay the attackers while Caesars Entertainment, in an effort to prevent their stolen data from being leaked, reportedly paid attackers a ransom worth approximately $15 million. It's worth reiterating, of course, that despite whatever internal calculus Caesars Entertainment made when deciding to pay the ransom, there is no guarantee that attackers will hold up their end of the bargain. The company's public willingness to pay also makes them a vulnerable target for further attacks.

On the other hand, there's no denying that a data leak, especially of sensitive customer or corporate information, can cause a level of reputational harm that some companies might view as impossible to risk taking on—even if it means paying a substantial amount to thieves who may or may not honor their word.

**New Players****LostTrust**

LostTrust is a likely rebrand from the MetaEncryptor ransomware gang we first spotted in August 2023. In September, they had a staggering 53 victims. The reason for the rebrand is unclear at present.

**ThreeAM (3AM)**

ThreeAM, a new ransomware family used as a fallback in failed LockBit attack, had 10 victims in September. 

**CiphBit**

While CiphBit has been posting victims on their dark website since April, the group wasn't discovered in-the-wild until last month. In September, they reported two new victims, bringing their total to eight victims to-date.

How to avoid ransomware

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware review: October 2023

Cisco's $28 billion purchase of Splunk was the biggest story, but other security majors made strategic acquisitions as well in a better-than-expected quarter.

Cisco's massive $28 billion acquisition of Splunk in September was the financial highlight of a quarter during which several other vendors also made strategic purchases to position themselves for emerging enterprise requirements around cloud, application and identity security.

The acquisitions added to a better-than-expected quarter ended Sept. 30, 2023, with venture funding too picking up steam after a slowdown earlier this year following the collapse of Silicon Valley Bank. IPO activity showed early signs of a revival for the first since late 2021 as well and provided further evidence of the resilience of the sector against economic conditions that have roiled other verticals.

Security segments that witnessed the most activity included services, security consulting, application GRC, security operations and identity and access management.

**Reasonable Valuations Drive Acquisition Interest**

The third-quarter's M&A activity continued a gradual consolidation of the security industry as big players got bigger through acquisitions and smaller players looked for opportunities to make profitable exits.

"It appears to have been quite an active quarter, even without Cisco’s $28bn acquisition of Splunk, and there are some good reasons for this," says Rik Turner an analyst at Omdia. With IPO activity still not fully revived, some venture capital firms are looking for quicker exits, resulting in a lot of cybersecurity companies being available at reasonable prices. "That’s why there are currently stories circulating about the likes of Dig and Talon being in negotiation to be acquired by Palo Alto, for instance. Even SentinelOne—which is currently public--is also said to be on the hunt for an acquirer," Turner says.

Cisco's purchase of Splunk positioned the company as one of the industry's foremost players in the next generation SIEM market, a cloud and analytics-driven alternative to traditional security information and event management technologies.

The acquisition—Cisco's largest ever—was one of more than half-a-dozen purchases the company has made this year to insert itself into multiple hot cybersecurity segments. Others include identity management vendor Oort, AI/ML software vendor Armorblox, network performance monitoring vendor Acedian and cloud security vendors Lightspin and Valtix.

**A Gradual Reshaping of the Industry**

Cisco was not alone in its attempts to buy its way into lucrative and emerging security segments. Q3, 2023 had several other vendors making similar moves. The most prominent among them were CrowdStrike's purchase of application security posture management vendor Bionic for a report $350 million; Check Point's forking out of some $490 million for secure remote access vendor Perimeter 81; Thales' $3.6 billion acquisition of Imperva in July and Tenable's $265 million cash and restricted stock purchase of cloud native application protection platform vendor Ermetic.

"Strategic technology buyers are actively looking to round up their offerings by acquiring innovative solutions and teams with the subject matter expertise that will help them stay relevant and competitive in emerging market segments," says Alberto Yépez managing director of Forgepoint Capital. "Sponsors are also actively looking for acquisitions that will help them add capabilities to the platform companies they own in order to expand their addressable market and increase their rate of growth."

Yépez identified the managed security services market as a segment that garnered considerable interest from acquisition hunters last quarter—and through the year in general. Much of the activity was in response to growing demand for security services from companies that were either struggling to find professionals or were looking to outsource the security function to others.

"We expect more activity in this segment in the next four to six quarter. It is primed for consolidation," he says. M&A activity so far this year suggests that cloud security and compliance are sectors with lots of potential for consolidation given how overcrowded the segments are with emerging companies, Yépez notes.

Momentum Cyber recorded a total of 63 M&A deals in Q3, 2023 with a total disclosed value of $34.9 billion. Of those, eight involved transactions of $100 million or more. Active M&A sectors in Q3 2023 according to Momentum included security consulting and services, managed security services, security operations, incident response, threat intel and identity and access management.

"While the majority of 2023 has centered around continued headwinds in a difficult market, strategic activity did see an uptick in deal volume across both M&A and financing toward the back half of Q3," says Momentum analyst John Gould. Momentum anticipates the trend will continue into 2024. "Strategic investors are becoming more opportunistic in M&A markets as evidenced by a number of key deals this past quarter," Gould says.

**Investment Activity Showed Signs of a Rebound**

Activity in the third quarter also suggested that investors are finally putting the disruption caused by Silicon Valley Bank's spectacular collapse in March, behind them.

All signs point to total venture funding in cybersecurity hitting $10 billion in 2023, matching the record setting year of 2020 says Richard Stiennon, chief research analyst at IT-Harvest. That total is less than half of the all-time record of $24 billion in 2021, he says. But "considering the failure of Silicon Valley Bank early in the year and the devastating impact that had on VCs, investments are not too shabby," Stiennon says.

IT-Harvest's data showed there was some $7.5 billion invested through the end of September in the cybersecurity sector with the GRC segment—once again—attracting the most investments at $1.6 billion. At the other end of the spectrum was the API security segment with just four investments totaling a paltry $15.9 million so far this year and email security with an even smaller $12.2 million in investor funding.

Investments activity in Q3, 2023 included some big rounds such as the $238 million that Cato Networks raised in equity investment in September. The financing round valued Cato at $3 billion and bought to $773 million in total that the secure access service edge technology provider has raised so far. Cato is one of several companies in the third quarter that hinted at going public in the near term Stiennon says. "There are signs of life on Wall Street with companies like Palo Alto Networks, CrowdStrike, and Zscaler up 63% to 95% from their lows on January 6," he notes.

Other major investments that Momentum tracked in the third-quarter included OneTrust's $150 million later stage venture capital raise in July, SpyCloud's $110 million growth round in August, Resilience's $100 million Series D round and Nord Security's $100 million growth raise in September.

"IPO rumors are also heating up for the first time in a while going into 2024," Gould says. "Later-stage security startups including Cato Networks and Rubrik have been rumored to be considering going public next year as the market looks to rebound from a dead period in traditional IPO activity since late 2021," he says.

Reasonable Valuations Drove Mergers and Acquisition Activity in Q3, 2023

The latest NIST Cybersecurity Framework draft highlights four major themes that organizations should pay attention to for managing risk.

Global cyberattacks have risen sharply over the last few years, increasing by 38% in 2022, according to Check Point. Combine this with the increasing cost of a data breach, averaging $9.44 million in the US and $4.25 million globally in 2022, preventing cyberattacks is at the top of everyone's mind going into 2024.

In early August, the National Institute of Standards and Technology (NIST) shared an update to its Cybersecurity Framework (CSF). The new draft reflects its inclusive and responsive attitude towards risk management for mitigating the cost and frequency of cyberattacks. As the gold standard for building a cybersecurity program and reducing cyber-risk, CSF 2.0 includes feedback from Fortune 500 companies on the front lines of cyberattacks.

To help enterprises keep up with the ever-evolving cyber threat landscape, NIST highlights the following four major themes that have direct business impacts on managing risk. Chief information security officers (CISOs) should keep the following principles in mind as they work to help secure their organizations and reduce cybersecurity risk in 2024.

**Emphasize Continuous and Quantitative Risk Assessment**

Continuous risk assessment is the cornerstone of a robust cybersecurity program. It is crucial for improving risk posture, enabling organizations to understand their most critical IT assets, the threats affecting them, security weaknesses, and the likelihood of these weaknesses getting exploited. Further, the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations conduct cyber-risk assessments regularly to better understand their security posture. And the benefits of these regular assessments can include improving cyber resiliency and meeting cyber insurance requirements.

For organizations looking to implement near real-time risk assessment, automation and artificial intelligence (AI)-based tools are critical for keeping up with the sheer volume of risks. As bad actors begin to use AI for harm, it is critical to learn how to use it for good. Such tools enable enterprises to discover assets, prioritize vulnerabilities, and define the likelihood and potential impact of risks to organizations even as the attack surface evolves.

This recommendation in the NIST updated framework further refines CISOs' deep understanding of the complexities associated with cybersecurity risk measurement. However, the continuous risk assessment process is not up to the CISO alone; investments and buy-in must span all departments of the organization. The entire organization must view this as a means to better use the data it takes in.

**Prioritize Continuous Improvement**

Creating a culture of continuous improvement is more than just a concept. It emphasizes that cybersecurity isn't _just_ about implementing the next incremental category or subcategory recommended by NIST; it's a journey towards adopting a holistic stance with organization-wide support. For example, the software you patched and secured yesterday may be vulnerable to a new exploit today. So, constant adaptation and improvement are essential to keeping all your surfaces free from attacks that can pop up in a moment's notice.

NIST's updated draft embraces this attitude by introducing a new Improvement category in the Identify function. The draft also includes updates to definitions of the implementation tiers and additional factors, including cybersecurity risk management, governance, and third-party risks. This showcases a more holistic approach to managing risk.

**Strengthen Supply Chain Risk Management**

Attacks on the supply chain have become a focal point for bad actors over the past few years. Look no further than the SolarWinds attack and the Log4j exploitation. And there aren't any signs of a slowdown, as Gartner predicts that 45% of global organizations will be impacted by a supply chain attack by 2025. These attacks prove that most organizations struggle to create a software bill of materials (SBOM) for their in-use applications, which produces a gap in protection.

In the updated draft, NIST addresses supply chain risk management by warning organizations that agility and accuracy matter. The draft includes an example of contractually requiring suppliers to provide and maintain a component inventory, which could also be described as an SBOM. When so much of your organization's operations depend on the supply chain remaining intact, you must bring precision to the forefront of risk management to better stay ahead of any incoming attack.

**Enhance Implementation Examples**

While the first draft of the NIST framework included some suggested implementation examples, there were not enough. By adding additional examples, organizations looking to NIST for cybersecurity guidance have additional resources to apply best practices mentioned in the framework. Having as many practical application examples as possible provides CISOs and other security leaders with clear, actionable steps to implement better security measures.

The additional examples included in the updated draft can empower organizations looking to NIST for guidance on cybersecurity to apply best practices. The inclusion of the additional implementation angles shows that NIST is interested in creating a more functional, real-word, and responsive cybersecurity management process.

With increasing complexity and tools sprawl, the ever-expanding attack surface, and increasing regulatory pressures, automated and AI-powered tools that provide a single pane of glass view will be critical. This updated framework provides actionable steps for CISOs to adapt and better align their organization with the dynamic nature of the cybersecurity landscape for 2024 and beyond.

Reassessing the Impacts of Risk Management With NIST Framework 2.0

Threat intel experts see a reduced focus on desktop malware as threat groups prioritize passwords and tokens that let them access the same systems as remote workers.

Every day more than 8,000 Microsoft threat intelligence experts, researchers, analysts, and threat hunters analyze trillions of daily signals to uncover emerging threats and deliver timely, relevant security insights. 

While a good portion of this work is dedicated to threat actors and the infrastructure that enables them, we also focus on nation-state groups to contextualize their activities within the broader scope of geopolitical trends. This is critical in uncovering the "why" behind criminal activity, as well as preparing and protecting vulnerable audiences who may become the target of future attacks.

Read on to learn more about how Chinese nation-state tactics, techniques and procedures (TTPs) and threat activity have evolved over time.

**Adapting Is the Name of the Game**

As with most global industry sectors, COVID-19 led to a number of changes within the Chinese cyber-espionage landscape. The near-overnight shift in the number of employees working from their offices to their individual homes meant companies had to enable remote access to sensitive systems and resources that were previously restricted to corporate networks. In fact, one study found that telework jumped from 5% to 50% of paid US work hours between April and December 2020. Threat actors took advantage of this change by attempting to blend in with the noise, masquerading as remote workers in order to access these resources.

Additionally, because enterprise access policies had to be deployed so quickly, many organizations didn't have adequate time to research and review best practices. This created a gap for cybercriminals, enabling them to exploit system misconfigurations and vulnerabilities. 

As a consequence of this trend, Microsoft threat intelligence experts are seeing fewer instances of desktop malware. Instead, threat groups appear to be prioritizing passwords and tokens that enable them to access sensitive systems used by remote workers.

For example, Nylon Typhoon (formerly NICKEL) is one of the many threat actors that Microsoft tracks. Originally founded in China, Nylon Typhoon leverages exploits against unpatched systems to compromise remote access services and appliances. Once the nation-state actor achieves a successful intrusion, it uses credential dumpers or stealers to obtain legitimate credentials, access victim accounts, and target higher-value systems. 

Recently, Microsoft observed a threat group believed to be Nylon Typhoon conducting a series of intelligence collection operations against China's Belt and Road Initiative (BRI). As a government-run infrastructure project, this incident activity likely straddled the line between traditional and economic espionage.

**Common TTPs Deployed by Chinese Nation-State Groups**

One significant trend that we've observed coming out of China is the shifting focus from user endpoints and custom malware to concentrated resources that exploit edge devices and maintain persistence. Threat groups successfully using these devices to gain network access can potentially remain undetected for a significant period of time.

Virtual private networks (VPNs) are one significant target. Although organizations have begun to implement more stringent security measures, such as tokens, multifactor authentication, and access policies, cybercriminals are adept at navigating these defenses. VPNs are an attractive target because, when compromised successfully, they eliminate the need for malware. Instead, threat groups can simply grant themselves access and log in as any user.

Another rising trend is the use of Shodan, Fofa, and similar databases that scan the Internet, catalog devices, and identify different patch levels. Nation-state groups will also conduct their own Internet scans to uncover vulnerabilities, exploit devices, and, ultimately, access the network. 

This means organizations have to do more than just device patching. An effective solution involves inventorying your Internet-exposed devices, understanding your network perimeters, and cataloging device patch levels. Once that has been achieved, organizations can focus on establishing a granular logging capability and monitoring for anomalies.

As with all cybersecurity trends, nation-state activity is ever-evolving, and threat groups are growing more sophisticated in their attempts to compromise systems and enact damage. By understanding the attack patterns of these nation-state groups, we can better prepare ourselves to defend against future threats.

_— Read more_ _Partner Perspectives from Microsoft Security__._

A Frontline Report of Chinese Threat Actor Tactics and Techniques

NB Defense, ModelScan, and Rebuff, which detect vulnerabilities in machine learning systems, are available on GitHub.

Protect AI, maker of Huntr, a bug-bounty program for open source software (OSS), is venturing further into the OSS world by licensing three of its artificial intelligence/machine learning (AI/ML) security tools under the permissive Apache 2.0 terms.

The company developed the first tool, NB Defense, to protect ML projects being developed in Jupyter Notebooks, a common application favored by data scientists. As it became widely used, hackers began targeting Jupyter because of the power inherent in a tool meant to test code and packages. In response, Protech AI developed NB Defense, a pair of tools for scanning Notebooks for vulnerabilities, such as secrets, personally identifiable information (PII), CVE exposures, and code subject to restrictive third-party licenses. The JupityrLab extension finds and fixes security issues within a Notebook, whereas the CLI tool enables scanning of multiple Notebooks simultaneously and automatic scanning of those being uploaded to a central repository.

The second tool, ModelScan, originated from the need for teams to share ML models across the Internet, as more companies are developing AI/ML tools for internal use. ModelScan scans Pytorch, Tensorflow, Keras, and other formats for model serialization attacks,such as credential theft, data poisoning, model poisoning, and privilege escalation (wherein the model is weaponized to attack other company assets).

The third tool, Rebuff, was an existing open source project that Protect AI acquired in July and has continued developing. Rebuff addresses prompt injection (PI) attacks, in which an attacker sends malicious inputs to large language models (LLMs) in order to manipulate outputs, expose sensitive data, and allow unauthorized actions. The self-hardening prompt injection detection framework employs four layers of defense: heuristics, which filters out potentially malicious input before it reaches the model; a dedicated LLM, which analyzes incoming prompts to identify potential attacks; a database of known attacks, which helps it recognize and fend off similar attacks later on; and canary tokens, which modify prompts to detect leaks.

The spread of AI and LLMs across organizations of various sizes has led to a similar rise in tools to secure — or attack — such models. For example, HiddenLayer, this year's winner of the RSA Conference Innovation Sandbox, made securing those models against tampering its mission. In 2021, Microsoft released a security framework and its own open source tools for protecting AI systems against adversarial attacks. And the flaws just announced in TorchServe underscore the real-world stakes for even the biggest players, such as Walmart and the three major cloud service providers.

All three of Protect AI's tools — NB Defense, ModelScan, and Rebuff — are available on GitHub.

Protect AI Releases 3 AI/ML Security Tools as Open Source

The United Nations' top internet governance body will allegedly host its next two annual meetings in countries known for repressive internet policies and human rights abuses.

The United Nations’ main internet governance body looks set to host its next international forum in Riyadh, Saudi Arabia. In 2025, the UN may take its discussions on the future of an open internet to Russia. Holding the Internet Governance Forum (IGF), back to back, in authoritarian countries notorious for their surveillance and censorship of the internet risks making “a joke of the whole system,” one advocate says.

While the UN has yet to formally announce the host countries for either meeting, Saudi Arabia's minister of communications and information technology, Abdullah Alswaha, seemed to let the news slip at this year’s forum in Tokyo, Japan, which began on Sunday and ends Thursday.

In a short speech before the plenary, Alswaha ran through some key issues facing the IGF, including generative artificial intelligence and the digital divide. He proposed to the attendees that “we continue this dialog at Riyadh IGF ‘24.” He repeated that idea again at the end of his speech, leaving attendees buzzing.

“It's extremely problematic,” Barbora Bukovská, senior director for law and policy at human rights organization Article 19, tells WIRED. She learned the news on Tuesday from colleagues in Tokyo. “Their human rights record and their record on digital freedoms should disqualify them from having it.”

In recent years, Riyadh has engaged in digital surveillance of dissidents, administering the death penalty against citizens who called out its human rights record online. The Saudi regime also ordered the 2018 extrajudicial killing of journalist Jamal Khashoggi. Freedom House, a pro-democracy nonprofit, assesses that Saudi Arabia maintains one of the world’s most restrictive and censored internet systems, only marginally better than Russia.

“The IGF is a community, it's a multi-stakeholder event,” Bukovská says. “You are supposed to have not just governments and companies, but also civil society, activists, and so on.” She says it will be difficult to invite democracy and open internet advocates to Riyadh. “How are they supposed to participate in Saudi Arabia, when you can be targeted by spyware, and with all kinds of restrictions? So I think it's extremely problematic.”

The IGF is a relatively new organization, having been set up in 2006. Its purpose is more advisory than regulatory, serving as a chance for countries, corporations, civil society organizations, and activists to discuss and debate various aspects of how the internet itself is run. “It's quite interesting and important for shaping the responses on certain issues,” Bukovská says.

While it may not be responsible for standards and regulations like the International Telecommunications Union—which has also been the subject of an international tug-of-war between censorship-minded countries and those who support an open internet—it is the main UN body devoted to internet governance. Where it is hosted matters, Bukovská says. Countries like Saudi Arabia can use the Forum “as a decoy to present themselves as a part of the international community, which respects human rights.”

Oppressive governments have worked hard to dismantle the shared system of governance model of the internet, argues Léa Fiddler, pushing instead for “sovereign digital ecosystems over which they can exert even more control, leading to what is often called the ‘splinternet.”

Fiddler is a visiting fellow for democracy and human rights at the Atlantic Council’s DFRLab. She wrote in advance of the 2023 Forum that the IGF will have an “outsized impact on how the internet looks and operates over the next several decades.” The IGF is also due to renew and rewrite its mandate in the coming years, she notes. “The conclusions that stakeholders come to at IGF will inform their stance on efforts at risk of being exploited for authoritarian purposes.”

There have been proposals put forth at the UN to substantially alter the balance of power in global internet governance. Fiddler points to the “Global Digital Compact,” which could substantially increase the UN’s role in regulating the internet. In a similar vein, Bukovská points to a cybersecurity treaty currently being proposed by Russia which, critics fear, is so vague that it could permit prosecution and targeting of journalists and democracy advocates.

Saudi Arabia will not be the first illiberal regime to host the IGF. Last year’s Forum was held in Addis Ababa, Ethiopia, amid an internet shutdown in the country’s Tigray region. Critics like digital rights group AccessNow decried the choice of venue at the time. “We cannot have a truly resilient internet or shared, sustainable, common future if we systematically silence or ignore those most at risk of rights violations,” the organization wrote in a statement.

It’s unclear if Saudi Arabia was the only country to actually submit a bid to host the 2024 Forum.

In 2021, Canadian cybersecurity firm eQualitie launched a petition to have the 2024 Forum in Montreal. Dozens of tech companies and civil society organizations from Canada and around the world signed on to the petition, but the Canadian government appears to have ignored the request. A spokesperson for Canadian foreign affairs minister Melanie Joly did not return a request for comment.

In a press release, eQualitie called Riyadh’s selection a "missed opportunity" and that Saudi Arabia's successful bid "raises concerns about the Forum's ability to maintain its principles of open dialogue and collaboration with civil society."

In a LinkedIn post, Bukovská sarcastically wrote of the trend being set by the UN body hosting an internet governance conference in Riyadh. “I guess I will also be looking forward to visiting Pyongyang, Teheran, or Moscow in the years to come.” But there are good odds that the IGF’s next meeting will, in fact, be held in Russia.

In 2020, the Russian Internet Governance Forum issued a press release indicating that Russia had been chosen as the 2025 host, citing official confirmation sent by the UN. It was repeated again in December 2021 by Russia’s deputy prime minister, Dmitry Chernyshenko. “Choosing Russia as the venue to host the 20th forum is a great honor for us and evidence that our country’s strong positions in the field of the development of the information society and digital technologies are recognized,” he said in a speech.

WIRED has previously reported on how a concerted American campaign for the presidency of the International Telecommunications Union thwarted Russian efforts to take over the body.

“This actually makes a joke of the whole system,” Bukovská says. She points to similar efforts at the UN Human Rights Council. “If you want to protect the integrity of these UN systems, as something where states should be held accountable for their human rights violations, it should not go to these countries.”

This spring, the Norwegian government announced its bid for the 2025 forum. The IGF has not officially indicated where the forum will be held, and the Norwegian government did not respond to a request for comment.

It is increasingly clear that the world’s most repressive countries are vying, either in conjunction or independently, to gain more control of how the very mechanics of the internet operate.

The UN Risks Normalizing Internet Censorship

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

Xiaomi welcomes security experts and research teams to join our Vulnerability Disclosure Program (VDP). Xiaomi is commited to taking the responsibility to the security of our users around the world can enjoy a secure and reliable intelligent life.

For the security vulnerabilities disclosed in this page, Xiaomi does not imply any kind of guarantee or warranty, either express or implied, including the warranties of merchantability or fitness for a particular purpose or non-infringement. You understand the vulnerabilities disclosure information is just to provide reference for you to assess security risk and make appropriate decision. Your use of the document, by whatsoever means, will be totally at your own risk. In no event shall Xiaomi or be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Tag

#intel