Plus: A major new supply chain attack, Biden’s spyware executive order, and a hacking campaign against Exxon’s critics.

Did you hear that Donald Trump got indicted this week? Of course you did. Ridiculous question. The first-ever indictment of a former US president had been looming for weeks. And now that it's happened, the move by a Manhattan grand jury is deepening fissures in America's already-fraught political divide. But while Trump headlines flood your feeds, there were plenty of other big stories this week, none of which have anything to do with any of _that_. 

In Germany, police are cracking down on people who post adult content to websites and platforms that lack age-verification checks, like Twitter. This has resulted in fines and threats of jail time, while some performers are deleting their accounts—or fleeing the country. This is just one of the impacts of a wave of age-verification laws sweeping the global internet.

Meanwhile, in darker corners of the internet, North Korea–backed hackers are using a rare technique to launder their stolen cryptocurrencies: paying to mine clean crypto with loot taken from their victims. The tactic is meant to throw blockchain detectives off the trail of swiped funds. Speaking of ill-gotten gains, Costa Rica is still reeling from a series of ransomware attacks last spring that left swaths of the country's infrastructure devastated. As a result, the US government is sending $25 million in aid to help it recover. 

Most victims of cyberattacks don't get help from the US government, however. Fortunately for them, this week Microsoft announced its new system, Security Copilot, which integrates OpenAI's ChatGPT and home-grown artificial intelligence to help incident responders managed breaches. Of course, the best way to protect yourself from getting hacked is to make sure all your systems are fully patched and up to date.

To top it all off, this week we revealed new documents obtained through a public records request which show that Good Smile, a major toy company that creates figurines for companies like Disney, invested $2.4 million in the toxic imageboard 4chan, helping to keep the company online.

But that's not all. Each week, we dive into the stories we weren't able to report on ourselves. Click on the headlines to read the full stories. And stay safe out there.

The Russian government and military remain the most aggressive in the world when it comes to disruptive acts of cyber-sabotage against civilian infrastructure. But documents leaked by a whistleblower inside a Russian intelligence contractor seem to reveal some new and alarming pages of the Kremlin’s hybrid war playbook.

A consortium of investigative journalists at 11 news outlets including Paper Trail Media, _The Guardian_, and _The Washington Post_ obtained a leak of secret documents from a Russian cybersecurity contractor firm called Vulkan, the Russian word for _volcano_. The documents, which were also analyzed by cybersecurity firm Mandiant, reveal that Vulkan sold software tools to Russian intelligence agencies like the KGB-successor FSB and the GRU military intelligence agency, including its notorious cyberattack-focused team known as Sandworm. 

The tools include one piece of software for scanning the internet for security vulnerabilities and another that seemed designed to organize disinformation campaigns and coordinate offensive hacking operations. Perhaps most disturbing of all was a proposal for a third tool that appeared to be designed to allow hackers to train in simulated networks of infrastructure systems like railways and pipelines, with specific references to methods to sabotage those systems with catastrophic effects. But it’s not clear whether that last tool was ever built, and if so, whether it was used primarily for offensive hacking or “red team” defensive training, or whether it led to the development of any actual hacking capabilities targeting critical infrastructure.

Security experts say North Korea–linked hackers have successfully carried out a supply chain attack through compromised versions of 3CX, a video and voice communications platform used by high-profile companies including American Express and Mercedes-Benz. 3CX says it has more than 600,000 customers. The hackers were able to install malware within the Mac and Windows versions of 3CX, which were signed with the company's keys, thus allowing the Trojanized apps to go undetected. The attack is being compared to Russian hackers' SolarWinds supply chain attack, which wrought havoc around the world for months. 

As hacker-for-hire firms' tools proliferate to governments around the world, the Biden administration has made clear: The US will not be one of that industry's customers. A new executive order bans US agencies from buying access to that commercial spyware, a key step in a growing effort to curb companies like NSO Group, Cytrox, and Candiru, which have enabled surveillance and human rights abuses from Spain to Mexico to Saudi Arabia. US agencies haven't been confirmed to be past customers of any of those companies, though the FBI did at one point test NSO's Phantom spyware before ultimately walking away from a deal with the company. But the order nonetheless sets a precedent for governments worldwide, assuring that US taxpayer funds won't flow to a dangerous industry whose tools have offered intrusive hacking techniques to repressive regimes targeting activists, journalists, and human rights defenders.

While we're on the subject of dangerous hacker-for-hire firms targeting vulnerable activists: The _Wall Street Journal_ reported this week that Indian hacker-for-hire firm BellTroX targeted climate change activists campaigning against Exxon, including Greenpeace, Public Citizen, 350.org, and the Rockefeller Family Fund. The firm was hired by Israeli private detective Aviram Azari, who has since pleaded guilty to hacking conspiracy charges. Exactly who hired Azari remains unclear, and Exxon denies having any connection to Azari or the hacking campaign. The hackers successfully accessed email accounts for Greenpeace, Public Citizen, and 350.org, but it's not yet clear whether they successfully penetrated the Rockefeller Family Fund, an organization created by Rockefeller heirs that has worked to combat the oil industry's efforts to lobby against climate change solutions.

‘Vulkan’ Leak Offers a Peek at Russia’s Cyberwar Playbook

Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several "high-impact" applications to unauthorized access.
"One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security

Microsoft has patched a misconfiguration issue impacting the Azure Active Directory (AAD) identity and access management service that exposed several "high-impact" applications to unauthorized access.

"One of these apps is a content management system (CMS) that powers Bing.com and allowed us to not only modify search results, but also launch high-impact XSS attacks on Bing users," cloud security firm Wiz said in a report. "Those attacks could compromise users' personal data, including Outlook emails and SharePoint documents."

The issues were reported to Microsoft in January and February 2022, following which the tech giant applied fixes and awarded Wiz a $40,000 bug bounty. Redmond said it found no evidence that the misconfigurations were exploited in the wild.

The crux of the vulnerability stems from what's called "Shared Responsibility confusion," wherein an Azure app can be incorrectly configured to allow users from any Microsoft tenant, leading to a potential case of unintended access.

Interestingly, a number of Microsoft's own internal apps were found to exhibit this behavior, thereby permitting external parties to obtain read and write to the affected applications.

This includes the Bing Trivia app, which the cybersecurity firm exploited to alter search results in Bing and even manipulate content on the homepage as part of an attack chain dubbed BingBang.

To make matters worse, the exploit could be weaponized to trigger a cross-site scripting (XSS) attack on Bing.com and extract a victim's Outlook emails, calendars, Teams messages, SharePoint documents, and OneDrive files.

"A malicious actor with the same access could've hijacked the most popular search results with the same payload and leak sensitive data from millions of users," Wiz researcher Hillai Ben-Sasson noted.

Other apps that were found susceptible to the misconfiguration issue include Mag News, Central Notification Service (CNS), Contact Center, PoliCheck, Power Automate Blog, and COSMOS.

THN WEBINAR

Become an Incident Response Pro!

Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!

Don't Miss Out – Save Your Seat!

The development comes as enterprise penetration testing firm NetSPI revealed details of a cross-tenant vulnerability in Power Platform connectors that could be abused to gain access to sensitive data.

Following responsible disclosure in September 2022, the deserialization vulnerability was resolved by Microsoft in December 2022.

The research also follows the release of patches to remediate Super FabriXss (CVE-2023-23383, CVSS score: 8.2), a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft Fixes New Azure AD Vulnerability Impacting Bing Search and Major Apps

Launching CSPM, container workload security, and cloud vulnerability management to modernize cloud security operations.

**MOUNTAIN VIEW, Calif.--(****BUSINESS WIRE****)--** Elastic (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch, today announced expanded capabilities for Elastic Security including Cloud Security Posture Management (CSPM) for AWS, container workload security, and cloud vulnerability management. Building on the previously released Kubernetes security posture management (KSPM) and Cloud Workload Protection Platform (CWPP) capabilities, Elastic now delivers a comprehensive security analytics solution that includes complete Cloud Native Application Protection for AWS.

According to Gartner, more than 85% of organizations are moving to a cloud-first model and 95% of new digital workloads are being deployed on cloud-native platforms. However, 99% of cloud failures will be the customer’s fault due to mistakes like cloud misconfigurations. Research from Elastic Security Labs found that nearly 1 in 3 (33%) attacks in the cloud leverage credential access, indicating that users often overestimate the security of their cloud environments and fail to configure and protect them adequately.

“Many companies have a fragmented approach to cloud security, as security and devops teams pivot between multiple dashboards,” said **Ken Buckler, Research Analyst - Security and Risk Management, Enterprise Management Associates.** “Unified visibility across all cloud resources, as well as on-premises systems, is critical to quickly identify and stop security threats at scale, especially when attackers repeatedly cross boundaries between cloud and on-premise in attempts to evade detection. With Elastic Security, organizations can streamline their cloud security operations by establishing real-time, unified visibility across their environments in a single interface.”

Elastic’s comprehensive suite of cloud security capabilities includes:

*   **Cloud Workload Protection** (generally available) — Expands on existing runtime security for traditional endpoints, enabling cloud security teams to gain deep visibility into the entire runtime workload including standalone Linux workloads, virtual machines, and infrastructure hosted in AWS, Google Cloud, and Microsoft Azure.
*   **Container Workload Protection** (beta) — Provides cloud security teams deep visibility into container workloads in managed Kubernetes environments with pre-execution runtime analysis for workloads running in Amazon EKS, GKE, and AKS environments.
*   **Cloud Security Posture Management** (beta) — Enables cloud security teams to continuously detect and remediate misconfigurations across workloads in AWS and Amazon EKS in real-time with Center for Information Security (CIS) benchmark controls, out-of-the-box integrations, and posture management dashboards and reports.
*   **Cloud Vulnerability Management** (beta) — Uncovers cloud-native vulnerabilities in AWS EC2 workloads with minimal resource utilization on workloads and enumerating vulnerabilities with risk context to help cloud security teams identify and respond to potential risk.

“Elastic Security is a unified security solution offering SIEM, endpoint, and cloud security capabilities—rooted in data management and analytics—that enables customers to protect, investigate and respond to threats across their entire infrastructure,” said **Santosh Krishnan, General Manager of Elastic Security, Elastic**. “The expansion of Elastic Security’s comprehensive cloud security capabilities provides organizations with the power they need to modernize their cloud security operations, improve attack surface visibility, reduce vendor complexity, and accelerate remediation.”

For more information, read the blog.

Gartner Press Release, "Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences," November 10, 2021.

**About Elastic:**

Elastic (NYSE: ESTC) is a leading platform for search-powered solutions. We help organizations, their employees, and their customers accelerate the results that matter. With solutions in Enterprise Search, Observability, and Security, we enhance customer and employee search experiences, keep mission-critical applications running smoothly, and protect against cyber threats. Delivered wherever data lives, in one cloud, across multiple clouds, or on-premise, Elastic enables 19,900+ customers and more than half of the Fortune 500, to achieve new levels of success at scale and on a single platform. Learn more at elastic.co.

The release and timing of any features or functionality described in this document remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

_Elastic_ and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Elastic Expands Cloud Security Capabilities for AWS

The State of Email Security Report reveals cyber risk commands the C-suite's focus.

**DUBAI****, UAE****,** **March 31, 2023** **/PRNewswire/ --** Mimecast, an advanced email and collaboration security company, today announced the publication of its annual "The State of Email Security 2023" (SOES) report. The global survey is based on responses from 1,700 IT and security decision-makers, providing readers with key takeaways on the current threat landscape and offering recommendations to help organizations improve their cybersecurity posture.

Download the full report – Mimecast's "The State of Email Security 2023"

The global report sheds light on the threats affecting companies across the globe, including the United Arab Emiratesand Saudi Arabia. Ninety four of respondents from the UAE and 100% from Saudi Arabia  reported to have been targeted by emailed-based phishing attacks in the last year, but they all said that they either have a system to monitor and protect against email-borne threats or are actively planning to roll one out.

**Highlights From This Year's Report** 

**Cyber awareness in the C-suite –** As cyberattacks continue to become more sophisticated, business leaders in the region have shown greater willingness to confront the risks involved and invest in proper measures to keep cyberattacks at bay. On average, 95% of companies in the UAE and Saudi Arabia reported needing stronger protection for their Microsoft 365 and Google Workspace applications, while 61% said their company needs to spend more on cybersecurity. However, all companies reported some form of cyber awareness training at their workplace, thus indicating a greater alertness to future attacks. With the increased focus on cyber preparedness by the C-suite, CISOs feel more empowered to articulate their requirements and implement strategies and tactics that will make their organization more secure.  

**Collaboration tools, essential but risky –** With workforces still divided between the office and remote locations, collaboration tools remain an essential yet risky part of communicating with team members. Eighty four percent of SOES participants in UAE and as many as 94% in Saudi Arabia agree that collaboration tools like Microsoft Teams or Slack are essential to their working function, but 82% from both countries expect to be harmed in 2023 by a collaboration-tool-based attack. The sharp increase in the use of these tools puts it directly in the minds of CISOs to ensure that adequate security measures are put in place for them to continue working protected while using them.

**Improved cyber preparedness –** There is a growing realization that cyber risk isn't just an IT problem — it's a critical vulnerability that directly equates to overall business risk. As such, organizations are taking the necessary measures to prepare for impending attacks.   Half are using artificial intelligence and machine learning to help under-resourced teams stay ahead of the curve, while the other half have plans to implement such measures. The use of AI tools will undoubtedly help under-resourced cybersecurity teams stay ahead of attacks and manage threats accordingly. Sixty four percent of Saudi Arabian respondents cited threat prevention as the top benefit of implementing AI, while 54% of organisations in UAE said reduced human error across the company was the biggest advantage. Overall, most companies believe that AI systems will help revolutionize the ways in which cybersecurity is practiced.

"Supply chain vulnerabilities, the rise of online collaboration and the growth of digital networking are among the chief reasons the cyber landscape is becoming more treacherous. The intersection of communications, people, and data carries a tremendous amount of risk, as malicious actors exploit the interconnectedness of the modern work surface," says Werno Gevers, regional leader of Mimecast Middle East. "Our research shows that corporate boards have finally woken up to the realisation that cyber risk is business risk, so it's time for CISOs to make the case for increased budgets and greater cyber resiliency."

Download the full report and view the UAE and Saudi Arabia infographics to learn more, and stay tuned to the Mimecast blog Cyber Resilience Insights_._

**Mimecast: Work Protected™**  

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.  

_Mimecast, the Mimecast logo, and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in_ the United States _and/or other countries.  All rights reserved.  All other third-party trademarks and logos contained in this press release are the property of their respective owners._

SOURCE Mimecast

Mimecast Report Reveals Nearly 60% of Companies in UAE and Saudi Arabia Need to Increase Cybersecurity Spending

forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

  
**Forem 🌱**

**For Empowering Community**

   

Welcome to the Forem codebase, the platform that powers dev.to. We are so excited to have you. With your help, we can build out Forem’s usability, scalability, and stability to better serve our communities.

**What is Forem?**

Forem is open source software for building communities. Communities for your peers, customers, fanbases, families, friends, and any other time and space where people need to come together to be part of a collective. See our announcement post for a high-level overview of what Forem is.

dev.to (or just DEV) is hosted by Forem. It is a community of software developers who write articles, take part in discussions, and build their professional profiles. We value supportive and constructive dialogue in the pursuit of great code and career growth for all members. The ecosystem spans from beginner to advanced developers, and all are welcome to find their place within our community. ❤️

**Table of Contents**

*   What is Forem?
*   Table of Contents
*   Community
*   Contributing
*   Getting Started
    *   Prerequisites
        *   Local
        *   Containers
    *   Installation Documentation
*   Developer Documentation
*   Core team
*   Vulnerability disclosure
*   Acknowledgements
*   License

**Community**

For a place to have open discussions on features, voice your ideas, or get help with general questions please visit our community at forem.dev.

**Contributing**

We encourage you to contribute to Forem! Please check out the Contributing to Forem guide for guidelines about how to proceed.

**Getting Started**

This section provides a high-level quick start guide. If you're looking for a more thorough installation guide (for example with macOS, you'll want to refer to our complete Developer Documentation.

We run on a Rails backend, and we are currently transitioning to a Preact\-first frontend.

A more complete overview of our stack is available in our docs.

To **launch Forem in Gitpod**, navigate to https://gitpod.io/#https://github.com/{your\_github\_username}/forem.

**Prerequisites****Local**

*   Ruby: we recommend using rbenv to install the Ruby version listed on the badge.
*   Yarn 1.x: please refer to their installation guide.
*   PostgreSQL 11 or higher.
*   ImageMagick: please refer to ImageMagick's installation instructions.
*   Redis 4 or higher.

**Containers**

**Linux**

*   Podman 1.9.2 or higher
*   Podman Compose 0.1.5 or higher

**OS X**

*   Docker Desktop for Mac

**Installation Documentation**

Please see our installation guides, such as the one for macOS.

**Developer Documentation**

Check out our dedicated docs page for more technical documentation.

**Core team**

*   @benhalpern
*   @jessleenyc
*   @peterkimfrank
*   @maestromac
*   @lightalloy
*   @ridhwana
*   @rt4914
*   @jaw6
*   @lboogie2004
*   @klardotsh

**Vulnerability disclosure**

Forem is the open source software which powers DEV.

We welcome security research on DEV under the terms of our vulnerability disclosure policy.

**Acknowledgements**

Thank you to the Twemoji project for the usage of their emojis.

**License**

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Please see the LICENSE file in our repository for the full text.

Like many open source projects, we require that contributors provide us with a Contributor License Agreement (CLA). By submitting code to the Forem project, you are granting us a right to use that code under the terms of the CLA.

Our version of the CLA was adapted from the Microsoft Contributor License Agreement, which they generously made available to the public domain under Creative Commons CC0 1.0 Universal.

Any questions, please refer to our license FAQ doc or email yo@dev.to.

  
**Happy Coding** ❤️

⬆ Back to Top

CVE-2023-27160: GitHub - forem/forem: For empowering community 🌱

Decentralized identity products are increasingly projected to be introduced to the market in the next couple of years.

Although the decentralized identity market is still in its infancy, it has been gaining traction in recent years and has the potential to change existing identity, authentication, and access for the better. In 2022, the decentralized identity market was projected to reach $270 million.

    

Through decentralization and blockchain technology, there are an increasing number of people taking back control of their data. Although the digital identity space is still in its initial stages, it is possible that decentralized identity with blockchain could make identity management decentralized, simplified, and seamless, completely transforming the market landscape. Startups and DID initiatives continue to develop proofs of concept (PoC) for decentralized identity in government, finance, healthcare, and other fields, and the opportunities for decentralized identity continue to grow and evolve.

**eIDAS 2.0 Driving Growth**

Omdia believes that the eIDAS 2.0 regulation will be a significant driver for growth in decentralized identity during the forecast period. The updated eIDAS 2.0 initiative is built on the existing, cross-border, legal framework for trusted digital identities, the European electronic identification, and trust services initiative (eIDAS Regulation), which was adopted in 2014. By September 2023, all EU member states must ensure that a digital identity wallet is available to all EU citizens, residents, and businesses in the EU and usable not only for identity documents but for all attestations, including those with sensitive personal data such as health-related data and documents.

**Advantages of Decentralized Identity**

The advantages that decentralized identity gives users over traditional identity and access management solutions include control, security, privacy, and ease of use:

*   Control – Control gives identity owners and digital devices power over their digital identifiers. Because users have complete control and ownership of their identities and credentials, they can decide which information they want to reveal and can prove their claims without depending on any other party.
*   Security – Security reduces attack surfaces by storing personal identifiable information (PII). Blockchain is an encrypted decentralized storage system that is safe, flexible, and reduces the risk of an attacker gaining unauthorized access to steal or monetize user data.
*   Privacy – Privacy enables entities to use the principle of least privilege (PoLP) to designate minimal or selective access for identity credentials. PoLP is a term correlated with information security. It states that any person, gadget, or process should only have the minimal rights necessary to execute the considered task.
*   Ease of use – Decentralized identity technology gives users the advantage of easily creating and managing their identities with user-friendly neoteric decentralized identity apps and platforms.

**Disadvantages of Decentralized Identity**

In contrast, the disadvantages of decentralized identity include no large-scale adoption, legacy systems, and regulation and identity data fragility:

*   No large-scale adoption – Governments and organizations are still attempting to figure out how to deploy decentralized identity technology at scale while most non-tech users have not even heard of this phenomenon.
*   Legacy systems and regulation – Replacing existing legacy systems and creating interoperable global standards and governance are also important issues.
*   Identity data fragility – While a secondary issue, identity data fragility, which refers to duplication, confusion, and inaccuracy in identity management, remains.

**More Decentralized Identity Products Coming**

The popularity of decentralized identity is gathering pace with vendors such as IBM, Microsoft, and Ping Identity entering the fray. Even governments are looking at the technology. Omdia believes that over the next couple of years, more decentralized identity products will be launched onto the market, and this will help the technology become more mainstream. The decentralized identity market is expected to have significant growth during the forecast period, increasing to $6.5 billion in 2027.

Is Decentralized Identity About to Reach an Inflection Point?

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass.

White Oak Security discovered an instance of Gladinet’s CentreStack server which was vulnerable to an authentication bypass and an arbitrary file upload resulting in remote code execution.

This issue has been remediated as of release 13.5.9808 – June 13, 2022 (1). These issues were tracked as S-8238.

**CentreStack Vulnerability Disclosure Timeline**

White Oak Security (WOS) followed responsible disclosure guidelines by giving Gladinet time to remediate this vulnerability and allow customers ample time to patch their instances. Once we were able to establish contact with Gladinet, we appreciated their quick response to remediating the reported issues.

**4/16/22**: Attempted to contact Gladinet via online support ticket.

**4/22/22**: Second attempt to contact Gladinet via online support ticket.

**5/10/22**: Attempted to contact Gladinet via generic cold email methods.

**5/12/22**: Successfully contacted Gladinet via customer support phone number and follow-up emails.

**5/16/22**: Vulnerabilities disclosed to Gladinet via online support ticket.

**6/13/22**: Patch made available by Gladinet, identified by ID S-8238.

**2/2/23:** White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

**CentreStack**

CentreStack is an on-premise solution that provides file share, backup services, and remote file access which can be managed by a web application.

**CentreStack Exposure**

Using Shodan, the CentreStack web server can be found exposed on the internet on a handful of servers. 

**Analysis: Unauthenticated Password Reset**

White Oak Security identified an access control violation where unauthenticated attackers can access the change password controller and, without providing the original user account password, force an update for an existing user account. The result is a full authentication bypass which allows a malicious user to gain access to an administrator account.

As a demonstration, an invalid login attempt for the account admin@test.com was performed using the password: “fakepassword!.

The application denies the login request as expected due to an invalid password:

Next, the unauthenticated malicious actor forcefully navigates to the password reset application page. A form is created which prompts the user to attempt a password reset.

The malicious actor intercepts this request, modifies the hfTicket value to contain a username, in this case, the victim user admin@test.com, and sets a new password for the account “fakepassword!”.

The application successfully processes this request:

Lastly, the malicious actor once again navigates to the main login page and attempts to login as the admin@test.com user with the newly forced password.

The application successfully authenticates the user since the account password had been changed, and the malicious actor gains the permissions of any account that had been reset, in this case, full administrative privileges.

**Analysis: Unrestricted File Upload**

Now that White Oak Security established a valid authentication bypass, WOS focused its efforts on obtaining code execution. An unrestricted file upload vulnerability was discovered within the Cluster and Tenant branding functionality, accessible by an administrator of the application. When chained together with an abuse of the Anti-Virus engine, the result is code execution. 

The branding image upload functionality does not limit what file types that can be uploaded to the server, which allows a malicious actor to upload a custom executable file. In this example, a reverse shell binary is uploaded in the Logo handler:

Once the binary has been uploaded, the application reveals a broken image as expected since the content is not actually an image indicating that our upload has been successful:

Upon inspecting the network traffic, we can see that the download for the logo image does return the binary program:

In order to achieve command execution, the full path of the uploaded image is required in order to be exploited with the Anti-Virus engine. On the filesystem, we can observe that a random GUID has been created within the **C:/CentreStack** directory.

While this GUID is random, the GUID can be leaked by interacting with the local file image editor or local application editor with any uploaded file:

The network traffic for this request leaks the full GUID in the LocalEditPage.aspx application response:

Next, the filename of the raw binary also contains a GUID with a fixed name “Brand\_LogoImg” appended to the GUID that is generated.

However, this value is simply the **_y-glad-brid_** session value which can easily be found throughout any authenticated request:

Now that the full path of the uploaded binary has been discovered through the application’s own components, the Anti-Virus engine scanner location can be modified to the full path of the binary:

Since the Anti-Virus engine does not limit the path of the potential programs that can be executed, any arbitrary binary on the system can be executed as the Anti-Virus engine.

Lastly, a malicious actor simply has to upload any file to the CentreStack server which will trigger the Anti-Virus scan to execute and run the custom binary:

On the attacker-controlled machine, the reverse shell is executed and a successful connection is observed. The process is additionally being executed with the highest permissions of **NT AUTHORITY\\SYSTEM**.

Upon inspecting the executing processes on the server with ProcessExplorer (2), the execution path is observed as the **GladinetCloudMonitor.exe** service executing the binary as NT AUTHORITY\\SYSTEM compared to the web server permissions of IIS APPPOOL. This is due to the Anti-Virus programs requiring a higher permission to scan local files, however, this gains an attacker full administrative privileges over the underlying server.

While the unrestricted file upload vulnerability was used to upload arbitrary files to the server, White Oak Security could have alternatively uploaded a malicious file to the server using the built-in file storage mechanism, and simply pointed the Anti-Virus engine to execute that program and obtain a shell in that fashion. 

However, it was more interesting to identify a vulnerability rather than built-in functionality to chain together this attack path.

****More From White Oak Security****

White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.

Read more from White Oak Security’s pentesting team.

****Sources****

1\. https://www.centrestack.com/p/gce\_latest\_release.html – CentreStack Release History

2\. https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer – ProcessExplorer

CVE-2023-26829: CentreStack Vulnerability Disclosure | White Oak Security

Plus: Microsoft Outlook and Android patch serious flaws, Chrome and Firefox get fixes, and much more.

Meanwhile, researchers at Google’s Project Zero have reported 18 zero-day vulnerabilities in Exynos Modems made by Samsung. The four most severe—CVE-2023-24033, CVE-2023-26496, CVE-2023-26497, and CVE-2023-26498—allow internet-to-baseband remote code execution, the researchers wrote in a blog. “Tests conducted by Project Zero confirm that the four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number,” they wrote. 

Affected devices include those in the S22, M33, M13, M12, A71, A53, A33, A21s, A13, A12, and A04 series, as well as Google’s Pixel 6 and Pixel 7 series.

Patch timelines will vary per manufacturer, but affected Pixel devices have received a fix for all four of the severe internet-to-baseband remote code execution vulnerabilities. In the meantime, users with affected devices can protect themselves by turning off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings, Google said.

Google Chrome 

Google has released Chrome 111 of its popular browser, fixing eight security flaws, seven of which are memory safety bugs with a high severity rating. Four use-after-free vulnerabilities include a high-severity issue tracked as CVE-2023-1528 in Passwords and CVE-2023-1529, an out-of-bounds memory access flaw in WebHID.

Meanwhile, CVE-2023-1530 is a use-after-free bug in PDF reported by the UK’s National Cyber Security Centre, and CVE-2023-1531 is a high-severity use-after-free vulnerability in ANGLE.

None of the issues are known by Google to have been used in attacks, but given their impact, it makes sense to update Chrome when you can.

Cisco

Enterprise software giant Cisco has published the twice-yearly security bundle for its IOS and IOS XE Software, fixing 10 vulnerabilities. Six of the issues fixed by Cisco are rated as having a high impact, including CVE-2023-20080, a denial of service flaw, and CVE-2023-20065, a privilege escalation bug.

At the start of the month, Cisco fixed multiple vulnerabilities in the web-based management interface of some Cisco IP Phones that could allow an unauthenticated, remote attacker to execute arbitrary code or cause denial of service. With a CVSS score of 9.8, the worst is CVE-2023-20078, a vulnerability in the web-based management interface of Cisco IP Phone 6800, 7800, and 8800 series multiplatform phones. 

An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface, Cisco said, adding, “A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of an affected device.”

Firefox

Privacy-conscious developer Mozilla has released Firefox 111, fixing 13 vulnerabilities, seven of which are rated as having a high impact. These include three flaws in Firefox for Android, including CVE-2023-25749, which may have resulted in third-party apps opening without a prompt.

Meanwhile, two memory safety bugs, CVE-2023-28176 and CVE-2023-28177, have been fixed in Firefox 111. “Some of these bugs showed evidence of memory corruption, and we presume that with enough effort some of these could have been exploited to run arbitrary code,” Mozilla said.

SAP

It’s another month of big updates for software maker SAP, which has released 19 new security notes in its March Security Patch Day guidance. Issues fixed during the month include four with a CVSS score of over 9. 

One of the worst of these is CVE-2023-25616, a code injection vulnerability in SAP Business Objects Business Intelligence Platform. This vulnerability in the Central Management Console allows an attacker to inject arbitrary code with a “strong negative impact” on the integrity, confidentiality, and availability of the system, security firm Onapsis said.

Finally, with a CVSS score of 9.9, CVE-2023-23857 is an improper access control bug in SAP NetWeaver AS for Java. “The vulnerability allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services,” Onapsis said.

Apple's iOS 16.4: Security Updates Are Better Than a Goose Emoji

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

Tag

#microsoft