Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

**Agop CMS 1.0 Insecure Direct Object Reference**

Posted Jul 22, 2024

Authored by indoushka

Agop CMS version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 1ed22de09e417dcaed8d9f03d8d62abd6b70fc4587552e70a4bdbce253d3011b

Download | Favorite | View

**Agop CMS 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Agop CMS v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : http://gico.io/agop/demos/                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/managePages.php[+] https://www/127.0.0.1/tiktrades.com/admin/managePages.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,061)
*   Arbitrary (16,823)
*   BBS (2,859)
*   Bypass (1,852)
*   CGI (1,033)
*   Code Execution (7,776)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,380)
*   DoS (24,985)
*   Encryption (2,389)
*   Exploit (53,050)
*   File Inclusion (4,256)
*   File Upload (989)
*   Firewall (822)
*   Info Disclosure (2,875)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (895)
*   Kernel (7,161)
*   Local (14,770)
*   Magazine (586)
*   Overflow (13,147)
*   Perl (1,435)
*   PHP (5,219)
*   Proof of Concept (2,381)
*   Protocol (3,723)
*   Python (1,629)
*   Remote (31,602)
*   Root (3,625)
*   Rootkit (525)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,021)
*   Shell (3,270)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,271)
*   SQL Injection (16,584)
*   TCP (2,439)
*   Trojan (690)
*   UDP (901)
*   Virus (669)
*   Vulnerability (32,893)
*   Web (9,947)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,234)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,090)
*   BSD (376)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,082)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,531)
*   HPUX (880)
*   iOS (376)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,456)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,351)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,673)
*   UNIX (9,429)
*   UnixWare (187)
*   Windows (6,667)
*   Other

Agop CMS 1.0 Insecure Direct Object Reference

The DOD wants to refurbish ICBM silos that give it the ability to end civilization. But these missiles are useless as weapons, and their other main purpose—attracting an enemy’s nuclear strikes—serves no end.

If you’re one of the millions of Americans who live within range of its 450 intercontinental ballistic missile silos, the Pentagon has written you off as an acceptable casualty. The silos are scattered across North Dakota, Montana, Colorado, Wyoming, and Nebraska in a zone of sacrifice—what lawmakers and military planners have long called the “nuclear sponge.”

Despite real concerns over cost overruns, human lives, and the general uselessness of ICBMs, the Pentagon is barreling forward with a plan to modernize those silos and their missiles. Right now the Department of Defense thinks it’ll cost $141 billion. Independent research puts the number at closer to $315 billion.

All of that is money the Pentagon plans to use to build a doomsday machine—a weapon that, were it ever used, would mean the end of human civilization. Such a weapon, most experts agree, is pointless.

ICBMs are a relic of the Cold War. The conventional thinking is that a nuclear power needs three options for deploying nuclear weapons—air-based strategic bombers, sea-based stealth submarines, and land-based missiles. That’s the nuclear triad. Should one leg of the triad fail, one of the other two will prevail.

First deployed throughout the 1960s, America’s ICBMs are old. According to the US Air Force, the Minuteman III missiles need to be decommissioned and replaced with a new missile called the Sentinel. Northrop Grumman has a plan to do it. The Air Force wants to buy 634 Sentinel missiles and modernize 400 silos and 600 other additional facilities.

This would cost probably hundreds of billions of dollars. The prices have spiraled so out of control—up 81 percent from 2020 projections—that it triggered a little-known congressional rule aimed at curtailing costs. If a weapons program’s costs bloat beyond 25 percent of their original projection, the DOD has to justify the need for the program and the rising costs. On July 8, the Pentagon released the results of the review. Unsurprisingly, it said it needs the weapons. A congressional hearing is scheduled for July 24.

There’s been a lot of congressional back and forth about the program. Representative Adam Smith, a Washington Democrat and ranking member of the House Armed Services Committee, has been public in his opposition to the program. Senator Deb Fischer, a Nebraska Republican, has said that people calling for cuts to the nuclear program are living in a dream world.

“Land-based ICBMs, by virtue of their location in our heartland, are also unlikely to be targeted by enemy attack,” Fischer said in a recent Newsweek op-ed.

“Military planners would be surprised to hear that,” says Joseph Cirincione, retired president of the Ploughshares fund and former director of nonproliferation at the Carnegie Endowment for International Peace. “Because a major justification for the program is that it would do exactly that, it would force the adversary to target these warheads … they’re counting on the adversary thinking about it.”

At one point in his career, Cirincione was a congressional staffer who worked on military reform for almost a decade. “When I was on the Armed Services Committee staff in the ’80s and ’90s, I heard about the sponge,” he says. “It’s one of the two chief justifications for the ICBM.”

The other is its responsiveness—the idea that it can fire and hit its targets a few minutes faster than a submarine or a bomber. “The arguments get very vague, and they’re intentionally kept vague,” he says. “And you hear that people sort of make this profound-sounding strategic rationale—value-laden phrases like, ‘They’re the backbone of our national defense strategy backbone.’ But probing that, digging under it, you realize it’s just built on sand. There’s no foundational logic to this beyond Cold War targeting calculations.”

The targeting calculations are absurd and frightening. These silos exist so that the United States can launch an all-out nuclear attack on Russia or China. The goal of the strike would be the total destruction of the population centers of the opposing nation. It would not be about an in-kind attack, but rather the total obliteration of the enemy. This is precisely why many experts consider them useless.

“If we used the ICBMs it would be the end of human civilization, even without an adversary hitting the United States with a single warhead,” Cirincione says.

“I think there’s no point to the ICBM silos,” says Tara Drozdenko, director of global security at the Union of Concerned Scientists. “Our submarine-based missiles are quite accurate. They’re basically impossible to find, and so they don’t have the vulnerability as our fixed-in-one-spot silos have.”

This means that, in practice, the point of the ICBMs is to draw enemy warheads away from population centers and toward more sparsely-populated areas of the US. But those warheads hitting the United States would have profound consequences for the planet and its people. A study from Sébastien Philippe at Princeton’s Program on Science and Global Security found that an all-out attack on the nuclear sponge would lead to the deaths of millions of people in the US, Canada, and Mexico.

“It’s not just absorbing a nuclear attack,” Philippe tells WIRED. “It’s like when you pour water on the sponge, and then you press onto it, it’s going to spill everywhere. So spill-out from that sponge is massive radioactive fallout across the country.”

In Philippe’s study, he and a team used recent weather data to model how radioactive fallout would flow across the planet after an attack on the nuclear sponge. “Overall, almost 300 million were at risk of receiving lethal doses depending on where the wind would blow…just from having that weapon system attack,” he says.

The fallout would be severe. “We’re not talking about having cancer in 15, 20, 30 years. We’re talking about your cells and organs and your body shutting down in days, weeks, or months after the explosion.”

The consequences of the Sentinel program extend beyond a worst-case scenario, however. The Air Force’s plan proposes a monumental feat of engineering. To support the new missiles, the Air Force plans to demolish 45 missile alert facilities and build at least 24 new ones in their place. It will renovate the existing 450 silos, construct 3,100 miles of utility corridors, and raise 62 300-foot-tall communications towers. The Air Force says it can do all this by 2036.

That’ll take a lot of labor power—roughly 3,000 temporary workers. They’ll have to live somewhere, and current Sentinel plans involve the construction of temporary housing for the folks who come to work on the silos. “That’s something the communities are worried about,” Philippe says.

Communities in silo states like North Dakota lived through something similar during the fracking booms of the past two decades. Massive shale deposits moved temporary workers across western and midwestern states. Crime followed. Opposition to the project on tribal lands and local communities is already building.

Kimball, Nebraska, will be the site of one of these early pioneer camps. The pioneer camp will construct “The Hub,” a three-story dormitory filled with 600-square-foot apartments. It’ll be wildcat hours, with Hub workers living onsite for a month at a time and pulling 10-hour shifts before returning back home to family. The construction of this facility will double the population of Kimball while it’s in use.

Perhaps the most ludicrous part of the Sentinel program is that the US doesn’t need ICBMs at all. Its sea-based stealth submarines are hard to detect and harder to destroy. If an enemy ever threatened a nuclear attack on America, a submarine would be available to retaliate. In addition, the US has stealth bombers that can deliver nuclear weapons from the air.

So why drill holes in the ground and fill them with nuclear weapons? In her op-ed, Fischer gave away the game: It’s about fear. “We invest in nuclear weapons because they underwrite every operation or negotiation undertaken by our nation,” she wrote. “Effective diplomacy—especially with other nuclear powers—means nothing if it isn't buttressed by a formidable nuclear deterrent.”

Fischer doesn’t speak for everyone at the Pentagon nor every politician on the Hill, but she does highlight a dangerous strain of thinking. In order for America to be a major player on the world stage, the logic goes, the world has to believe it’s willing to destroy the world if it doesn’t get what it wants.

The Pentagon Wants to Spend $141 Billion on a Doomsday Machine

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.
BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale

The JavaScript downloader malware known as SocGholish (aka FakeUpdates) is being used to deliver a remote access trojan called AsyncRAT as well as a legitimate open-source project called BOINC.

BOINC, short for Berkeley Open Infrastructure Network Computing Client, is an open-source "volunteer computing" platform maintained by the University of California with an aim to carry out "large-scale distributed high-throughput computing" using participating home computers on which the app is installed.

"It's similar to a cryptocurrency miner in that way (using computer resources to do work), and it's actually designed to reward users with a specific type of cryptocurrency called Gridcoin, designed for this purpose," Huntress researchers Matt Anderson, Alden Schmidt, and Greg Linares said in a report published last week.

These malicious installations are designed to connect to an actor-controlled domain ("rosettahome\[.\]cn" or "rosettahome\[.\]top"), essentially acting as a command-and-control (C2) server to collect host data, transmit payloads, and push further commands. As of July 15, 10,032 clients are connected to the two domains.

The cybersecurity firm said while it hasn't observed any follow-on activity or tasks being executed by the infected hosts, it hypothesized that the "host connections could be sold off as initial access vectors to be used by other actors and potentially used to execute ransomware."

SocGholish attack sequences typically begin when users land on compromised websites, where they are prompted to download a fake browser update that, upon execution, triggers the retrieval of additional payloads to the infiltrated machines.

The JavaScript downloader, in this case, activates two disjointed chains, one that leads to the deployment of a fileless variant of AsyncRAT and the other resulting in the BOINC installation.

The BOINC app, which is renamed as "SecurityHealthService.exe" or "trustedinstaller.exe" to evade detection, sets persistence using a scheduled task by means of a PowerShell script.

The misuse of BOINC for malicious purposes hasn't gone unnoticed by the project maintainers, who are currently investigating the problem and finding a way to "defeat this malware." Evidence of the abuse dates back to at least June 26, 2024.

"The motivation and intent of the threat actor by loading this software onto infected hosts isn't clear at this point," the researchers said.

"Infected clients actively connecting to malicious BOINC servers present a fairly high risk, as there's potential for a motivated threat actor to misuse this connection and execute any number of malicious commands or software on the host to further escalate privileges or move laterally through a network and compromise an entire domain."

The development comes as Check Point said it's been tracking the use of compiled V8 JavaScript by malware authors to sidestep static detections and conceal remote access trojans, stealers, loaders, cryptocurrency miners, wipers, and ransomware.

"In the ongoing battle between security experts and threat actors, malware developers keep coming up with new tricks to hide their attacks," security researcher Moshe Marelus said. "It's not surprising that they've started using V8, as this technology is commonly used to create software as it is very widespread and extremely hard to analyze."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

SocGholish Malware Exploits BOINC Project for Covert Cyberattacks

Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.
"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a

Cybersecurity researchers have discovered a new Linux variant of a ransomware strain known as Play (aka Balloonfly and PlayCrypt) that's designed to target VMware ESXi environments.

"This development suggests that the group could be broadening its attacks across the Linux platform, leading to an expanded victim pool and more successful ransom negotiations," Trend Micro researchers said in a report published Friday.

Play, which arrived on the scene in June 2022, is known for its double extortion tactics, encrypting systems after exfiltrating sensitive data and demanding payment in exchange for a decryption key. According to estimates released by Australia and the U.S., as many as 300 organizations have been victimized by the ransomware group as of October 2023.

Statistics shared by Trend Micro for the first seven months of 2024 show that the U.S. is the country with the highest number of victims, followed by Canada, Germany, the U.K., and the Netherlands.

Manufacturing, professional services, construction, IT, retail, financial services, transportation, media, legal services, and real estate are some of the top industries affected by the Play ransomware during the time period.

The cybersecurity firm's analysis of a Linux variant of Play comes from a RAR archive file hosted on an IP address (108.61.142\[.\]190), which also contains other tools identified as utilized in previous attacks such as PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor.

"Though no actual infection has been observed, the command-and-control (C&C) server hosts the common tools that Play ransomware currently uses in its attacks," it said. "This could denote that the Linux variant might employ similar tactics, techniques, and procedures (TTPs)."

The ransomware sample, upon execution, ensures that it's running in an ESXi environment before proceeding to encrypt virtual machine (VM) files, including VM disk, configuration, and metadata files, and appending them with the extension ".PLAY." A ransom note is then dropped in the root directory.

Further analysis has determined that the Play ransomware group is likely using the services and infrastructure peddled by Prolific Puma, which offers an illicit link-shortening service to other cybercriminals to help them evade detection while distributing malware.

Specifically, it employs what's called a registered domain generation algorithm (RDGA) to spin up new domain names, a programmatic mechanism that's increasingly being used by several threat actors, including VexTrio Viper and Revolver Rabbit, for phishing, spam, and malware propagation.

Revolver Rabbit, for instance, is believed to have registered over 500,000 domains on the ".bond" top-level domain (TLD) at an approximate cost of more than $1 million, leveraging them as active and decoy C2 servers for the XLoader (aka FormBook) stealer malware.

"The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash," Infoblox noted in a recent analysis. "Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words."

RDGAs are a lot more challenging to detect and defend against than traditional DGAs owing to the fact that they allow threat actors to generate many domain names to register them for use – either all at once or over time – in their criminal infrastructure.

"In an RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names," Infoblox said. "In a traditional DGA, the malware contains an algorithm that can be discovered, and most of the domain names will not be registered. While DGAs are used exclusively for connection to a malware controller, RDGAs are used for a wide range of malicious activity."

The latest findings indicate a potential collaboration between two cybercriminal entities, suggesting that the Play ransomware actors are taking steps to bypass security protocols through Prolific Puma's services.

"ESXi environments are high-value targets for ransomware attacks due to their critical role in business operations," Trend Micro concluded. "The efficiency of encrypting numerous VMs simultaneously and the valuable data they hold further elevate their lucrativeness for cybercriminals."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Linux Variant of Play Ransomware Targeting VMware ESXi Systems

The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform.

**H2O vulnerable to Deserialization of Untrusted Data**

High severity GitHub Reviewed Published Jul 21, 2024 to the GitHub Advisory Database • Updated Jul 22, 2024

GHSA-w36w-948j-xhfw: H2O vulnerable to Deserialization of Untrusted Data

Plus: The FBI unlocks the Trump shooter’s phone, a security researcher gets legal threats for exposing hackable traffic lights, and more.

The week was particularly chock-full of dramatic security news. On Friday, a flawed update to CrowdStrike’s Falcon platform caused massive global service outages and disruptions around the world. The issue, which only impacted Windows computers, crashed PCs and servers, disrupting air travel, hospitals, banks, universities, and more.

Earlier in the week, WIRED had reported that following a massive data breach, AT&T paid $370,000 to get hackers to delete the stolen data. And, though it’s always possible that attackers saved a copy of the trove, a security researcher with knowledge of the transaction told WIRED he believes the only copy has been wiped. In a separate incident, hackers claimed last week to have stolen and leaked more than a terabyte of data comprising Disney’s complete Slack archive.

A WIRED analysis of Republican vice presidential nominee J.D. Vance’s Venmo account sheds some light on the Senator’s network and connections, including some of the architects of Project 2025 and enemies of Vance’s running mate, Donald Trump.

Federal prosecutors indicted a 20-year-old man on Tuesday for allegedly leading the violent and White supremacist Eastern European gang known as “Maniac Murder Cult,” or MKY. The group has been implicated in a number of assaults and attacks abroad, including at least one murder.

The US Supreme Court’s recent decision in _Loper Bright Enterprises v. Raimondo_ to overturn what’s known as the Chevron deference will have major implications for US cybersecurity defense, because federal agencies are now limited in their ability to regulate. And US senator Mark Warner of Virginia is working to pass new limits on government wiretaps, but at least two senators are quietly trying to stop him.

And there’s more. Each week, we round up the security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Russian Hacktivists Who Attacked US Water Utilities Named and Sanctioned**

Sometimes “Julia,” the shadowy, pseudonymous Russian hacker telling you her grand plans to sabotage the West, really is just Julia. Or Yuliya.

On Friday, the Treasury Department announced that it is imposing sanctions on two alleged Russian cybercriminals for their alleged involvement in the hacktivist group Cyber Army of Russia Reborn, or CARR, which rose to prominence this year due to its reckless and somewhat sloppy attacks on Western critical infrastructure, as well as its apparent ties to Russia’s GRU military intelligence agency. Those two sanctioned hackers are identified in Treasury’s statement for the first time as Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko.

In May, WIRED interviewed a CARR spokesperson who called herself Julia about the group’s attacks, which included one that caused tens of thousands of gallons of water to be spilled from a water utility in the small town of Muleshoe, Texas. That spokesperson now appears to have likely been Pankratova, who is identified by Treasury as CARR’s spokesperson, while Degtyarenko is described as its “primary hacker.”

Treasury also notes that “instances of major damage to victims have thus far been avoided due to CARR’s lack of technical sophistication,” a line that, for any hacker, may hurt even worse than sanctions.

**FBI Gains Access to Trump Shooter’s Locked Phone**

For anyone who thought the locked phone of would-be Trump assassin Thomas Crooks was about to lead to another standoff between the FBI and the tech industry’s privacy advocates—standoff over. Immediately following the assassination attempt, which ended when Crooks was shot and killed by police, Crooks’ locked Android phone was unlocked by the FBI, the Bureau announced last weekend. Though the FBI didn’t reveal how it was able to crack the phone, Bloomberg reported later this week that law enforcement used “unreleased technology” from the phone-hacking software company Cellebrite.

**Security Researcher Shows Traffic Lights Are Hackable—and Gets a Legal Threat**

Hacking traffic lights has long been one of Hollywood’s favorite ideas of cyber mayhem, from the _Italian Job_ to _Live Free or Die Hard_. If only cyber defenders had known all along that they could prevent all that traffic hacking with a strongly worded letter from their lawyer.

This week, Andrew Lemon, a researcher for security firm Red Threat, published a pair of blog posts that outline how it would be possible to hack traffic light systems sold by the company Econolite due to a lack of authentication in their web interface. While the software had safeguards in place that would have prevented tampering with the lights to cause collisions, a hacker could nonetheless have messed with their configuration to cause traffic jams, Lemon found. When Lemon reported the issues to Econolite, however, its parent company, Q-Free, responded in a letter that not only didn’t suggest it would fix the issue—it said it no longer sells the systems—but also threatened Lemon by pointing out his hacking research was potentially illegal. A company spokesperson told TechCrunch, which broke the story, that municipalities that use the vulnerable system should not leave the traffic light software exposed online and should buy newer systems to replace them.

**North Korean Hackers Steal $230 Million in Crypto From WazirX Exchange**

Another week, another nine-figure injection of digital funds into the world’s most authoritarian country. WazirX, India’s largest cryptocurrency exchange, was hacked this week and robbed of nearly a quarter-billion dollars in crypto, largely in the form of SHIB, a Shiba Inu-themed cryptocurrency. Crypto-tracing firm Elliptic quickly tied the attack to North Korean hackers. That absurd and disturbing crime adds significantly to the $1.4 billion that hackers have stolen in crypto so far this year, which was already on pace to double last year’s total cryptocurrency thefts.

The Feds Say These Are the Russian Hackers Who Attacked US Water Utilities

An enormous IT outage across the world today is not the result of a cyberattack, but rather a faulty update from CrowdStrike.

A faulty update from the cybersecurity vendor CrowdStrike crashed countless Windows computers and sent them into a “Blue Screen of Death” (BSOD), grinding to a halt the global operations of airlines, hospitals, news broadcasters, transportation agencies, and more.

The incident itself is not the result of a cyberattack. There is no evidence of a breach or of any cybercriminal involvement.

But, as Malwarebytes Labs has reported before, many major events can lead to follow-on threats of phishing and scams, and this global outage is no different. On July 19, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on this same risk:

“CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.”

As of reporting, CrowdStrike has already issued a fix.

****What happened****

On July 19, businesses in Australia began reporting that their Windows computers were restarting automatically into a BSOD, making them inaccessible to users. The reports were limited only to Windows machines and, as verified later by CrowdStrike, computers running Mac OS or Linux were not affected.

As IT admins in Australia scrambled to get their organizations back online, the same BSOD issue began greeting workers across Europe. The problem, it became clear, was becoming global, with reports of similar problems in Germany, Japan, India, and, eventually, the United States.

Hundreds of businesses were immediately impacted. Flights were grounded. Delays are being warned for package delivery provider UPS. Hospitals in the state of Maryland began cancelling procedures. And The Washington Post reported that, while many retailers were unscathed, coffee giant Starbucks was experiencing difficulties with its mobile ordering system.

What every affected business had in common was their use of Windows computers running CrowdStrike’s cybersecurity platform.

In the past 24 hours, CrowdStrike issued a faulty software update for Windows devices that included a problematic “channel file.” Windows devices that installed this update were then sent into a boot loop back into the “Blue Screen of Death” which kept users from accessing their own computers.

****The fix****

As of 05:27 AM UTC, CrowdStrike had identified the faulty channel file and issued a new, safe channel file for use. Deleting the channel file and installing the correct channel file, however, could require direct, physical access to a computer—a particularly time-intensive task as increasingly more businesses have adopted hybrid and Work From Home models.

CrowdStrike has a full statement on hox to fix Windows machines that are still stuck in the BSOD loop here.

Everyday users who are affected by this outage on their work machines or personal machines are not at heightened risk of a cybersecurity attack. Instead, people should simply remain vigilant about malicious emails and websites that promise fixes for the problem. For any and all maintenance, rely on CrowdStrike’s official statements and, if experiencing problems at work, rely on your IT admin.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

 CrowdStrike update at center of Windows &#8220;Blue Screen of Death&#8221; outage 

Though the cybersecurity vendor has since reverted the update, chaos continues as companies continue to struggle to get back up and running.

Source: SOPA Images Limited via Alamy Stock Photo

This is a breaking news story and will be updated as new developments occur.

This morning, Microsoft servers across the world displayed the dreaded "blue screen of death," leading to mass IT outages that disrupted business, airlines and flights, healthcare providers, banks, and more. The cause: A defective update to CrowdStrike Falcon Sensor, a widely used cloud-based endpoint detection and prevention (EDR) software program.

CrowdStrike said its engineering team has identified the issue that caused the massive disruption to Windows-based systems: A bug in the Memory Scanning prevention policy, which was not identified during their testing stages, Callie Guenther, senior manager at Critical Start, noted in an emailed statement.

"While CrowdStrike likely performed standard regression and functionality tests, these were insufficient because they did not simulate the real-world deployment environment where the bug caused the Falcon sensor to consume 100% of a CPU core," she wrote. This ultimately led to system performance issues.

CrowdStrike has since reverted the flawed Falcon software update. Even so, some users are still experiencing system crashes or are unable to stay online to receive the new and fixed version. The cybersecurity vendor has provided workaround steps for this issue.

In a post on social platform X, Microsoft CEO Satya Nadella said the company is aware of the issue and is working closely with CrowdStrike to provide technical support to its customers and get their systems back online.

**Falcon Fallout**

The severity of the broken CrowdStrike update became increasingly painful as victim reports rolled in throughout the day: More than 1,300 flights have been canceled or delayed, trains, card payments in stores, pharmacies, and even general practitioner (GP) surgeries were stalled. 

The Department of Health in Belfast reported that two-thirds of GP practices in Northern Ireland have been affected, with patient records inaccessible as well as lab tests and routine prescriptions.

Delta flights have been paused as it "works through a vendor technology issue," the New York Times reported, and Turkish Airlines has canceled at least 84 flights. Employees at financial institutions like JPMorgan Chase and Instinet have had trouble accessing their corporate systems as operations began to stutter.

Even the Paris Olympics organizing committee reports that its IT operations have been affected, mainly affecting delivery of uniforms and accreditations.

Meanwhile, President Joe Biden has been briefed on the outage, according to the White House, and administration officials are reportedly in touch with affected entities as well as CrowdStrike, which is working with customers that have been impacted.

"Mac and Linux hosts are not impacted," George Kurtz, president and CEO of CrowdStrike, wrote online. "This is not a security incident or cyberattack. The issue has been identified \[and isolated,\] and a fix has been deployed. We refer customers to the support portal for the latest updates and will continue to provide complete and continuous updates on our website."

**It's Not a Data Breach, but it's a Disaster**

In an industry where cybersecurity practices and services are meant to protect an enterprise without interrupting them, this outage proves that "even non-malicious cybersecurity failures can bring businesses to their knees," according to Maxine Holt, cybersecurity analyst at Omdia.

This massive incident underscores an over-reliance on cloud services, Holt noted in an online statement, and the outage may prompt organizations to reconsider moving their mission-critical applications to the cloud.

"Omdia's Cloud and Data Center analysts have long warned about over-reliance on cloud services," Holt said. "Today's outages will make enterprises rethink moving mission-critical applications off-premises. The ripple effect is massive, hitting CrowdStrike, Microsoft, AWS, Azure, Google, and beyond. CrowdStrike's shares have plummeted by more than 20% in unofficial pre-market trading in the US, translating to a staggering $16 billion loss in value."

As CrowdStrike will undoubtedly face scrutiny as it gets back on its feet, only time will tell how this outage could affect regulation and pressure on software vendors.

"We need stronger regulations and guidance on vendor responsibilities for functional testing," Josh Thorngren, security strategist at ForAllSecure, wrote in an emailed statement. "If you're not testing the behavior of your application under-expected (and unexpected) conditions with every update — this type of issue will always be a risk."

Buggy CrowdStrike EDR Update Crashes Windows Systems Worldwide

The Coalition for Secure AI is a consortium of influential AI companies aiming to develop tools to secure AI applications and set up an ecosystem for sharing best practices.

Source: ElenaBS via Alamy Stock Photo

The largest and most influential artificial intelligence (AI) companies are joining forces to map out a security-first approach to the development and use of generative AI.

The Coalition for Secure AI, also called CoSAI, aims to provide the tools to mitigate the risks involved in AI. The goal is to create standardized guardrails, security technologies, and tools for the secure development of models.

"Our initial workstreams include AI and software supply chain security and preparing defenders for a changing cyber landscape," CoSAI said in a statement.

The initial efforts include creating a secure bubble and systems of checks and balances around the access and use of AI, and creating a framework to protect AI models from cyberattacks, according to Google, one of the coalition's founding members. Google, OpenAI, and Anthropic own the most widely used large language models (LLMs). Other members include infrastructure providers Microsoft, IBM, Intel, Nvidia, and PayPal.

"AI developers need — and end users deserve — a framework for AI security that meets the moment and responsibly captures the opportunity in front of us. CoSAI is the next step in that journey, and we can expect more updates in the coming months," wrote Google's vice president of security engineering, Heather Adkins, and Google Cloud's chief information security officer, Phil Venables.

**AI Safety as a Priority**

AI safety has raised a host of cybersecurity concerns since the launch of ChatGPT in 2022. Those include misuse for social engineering to penetrate systems and the creation of deepfake videos to spread misinformation. At the same time, security firms, such as Trend Micro and CrowdStrike, are now turning to AI to help companies root out threats.

AI safety, trust, and transparency are important as results could steer organizations into faulty — and sometimes harmful — actions and decisions, says Gartner analyst Avivah Litan.

"AI cannot run on its own without guardrails to rein it in — errors and exceptions need to be highlighted and investigated," Litan says.

AI security issues could multiply with technologies such as AI agents, which are add-ons that generate more accurate answers from custom data.

"The right tools need to be in place to automatically remediate all but the most opaque exceptions," Litan says.

US President Joe Biden has challenged the private sector to prioritize AI safety and ethics. His concern was around AI's potential to propagate inequity and to compromise national security.

In July 2023, President Biden issued an executive order that required commitments from major companies that are now part of CoSAI to develop safety standards, share safety test results, and prevent AI's misuse for biological materials and fraud and deception.

CoSAI will work with other organizations, including the Frontier Model Forum, Partnership on AI, OpenSSF, and MLCommons, to develop common standards and best practices.

MLCommons this week told Dark Reading that in fall this year it will release an AI safety benchmarking suite that will rate LLMs on responses related to hate speech, exploitation, child abuse, and sex crimes.

CoSAI will be managed by OASIS Open, which, like the Linux Foundation, manages open source development projects. OASIS is best known for its work around the XML standard and for the ODF file format, which is an alternative to Microsoft Word's .doc file format.

**About the Author(s)**

Agam Shah has covered enterprise IT for more than a decade. Outside of machine learning, hardware, and chips, he's also interested in martial arts and Russia.

Tech Giants Agree to Standardize AI Security

After an extended period underground, the Chinese hackers have added a more sophisticated infection chain and additional EDR evasion techniques.

Source: Rokas Tenys via Alamy Stock Photo

The mysterious and covert Chinese hacking group GhostEmperor has resurfaced after a two-year hiatus with even more advanced capabilities and evasion techniques.

Initially discovered by Kaspersky Lab in 2021, GhostEmperor was notorious for targeting telecommunications and government entities in Southeast Asia through sophisticated supply chain attacks.

The group's recent activities were uncovered by cybersecurity firm Sygnia, which detailed the group's evolved attack methods in a report released this week. 

A recent investigation by the security firm into a compromised network of an unidentified client revealed that GhostEmperor was behind the breach.

The attackers used the compromised network as a launchpad to infiltrate another victim's systems, an incident which marks the first confirmed activity from GhostEmperor since 2021.

Sygnia's investigation found GhostEmperor had updated its well-known Demodex rootkit, a kernel-level tool that grants the highest level of access to the victim's operating system while evading endpoint detection and response (EDR) software.

The updated variant includes a reflective loader to execute the Core-Implant and employs new obfuscation techniques, such as different file names and registry keys. Additionally, the variant analyzed appears to have been compiled in July 2021, indicating it might be a newer version than what Kaspersky originally documented.

**Infection Chain, Evasion Techniques**

The analysis also noted significant alterations in GhostEmperor's infection chain.

Traditionally, the group gained initial access by exploiting vulnerabilities such as ProxyLogon. A batch file was executed to initiate the infection, deploying various tools that communicated with a set of command-and-control (C2) servers.

In the most recent breach, GhostEmperor employed the WMIExec tool from the Impacket Toolkit to execute commands remotely via Windows Management Instrumentation (WMI), initiating the infection chain on the compromised machine.

The report noted the new infection chain is more sophisticated and stealthier, incorporating additional EDR evasion techniques.

“We are seeing, again and again — especially in this scenario, when we went into the customer's domain — that people are not aware of their environment,” Azeem Aleem, Sygnia's managing director, told The Record, cybersecurity firm Recorded Future's news site. 

**GhostEmperor Left a Global Trail**

When GhostEmperor was first identified in September 2021, Kaspersky described the group as a highly skilled and sophisticated threat actor, primarily targeting high-profile entities in Southeast Asia, including Malaysia, Thailand, Vietnam, and Indonesia. 

Additional victims included entities in Egypt, Ethiopia, and Afghanistan, indicating a broad and ambitious scope of operations.

The initial discovery by Kaspersky highlighted GhostEmperor's use of multistage malware designed for stealth and persistence, leveraging rootkits and other advanced tools to maintain a foothold in compromised networks.

The group's ability to evade detection and employ complex attack strategies led researchers to categorize them as a state-sponsored actor, given the resources and expertise required to develop and deploy such tools.

**Chinese Threat Actors Multiply **

This month alone Chinese threat actors have been discovered targeting Internet cafes in China that allow attackers to execute malicious code with the highest privileges. 

The Chinese state-sponsored actor APT40 was discovered exploiting newly discovered software vulnerabilities within hours targeting organizations globally, including repeated attacks on Australian networks. At the start of the month China-backed threat group Velvet Ant was discovered using targeted malware to exploit a vulnerability in Cisco's NX-OS software for managing a variety of switches.

**About the Author(s)**

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Tag

#mac