We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements.

Tuesday, October 24, 2023 08:10

**Quarterly threat report: Telecommunications and education are most-targeted verticals**

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.  

However, ever-present ransomware continues to be a threat, accounting for 10 percent of engagements. This quarter, which covers July, August and September, featured the LockBit and BlackByte ransomware families, which Talos IR has observed in previous quarters. But for the very first time, Talos IR observed a new variant of BlackByte ransomware, BlackByte NT. 

 Telecommunications and education were the most targeted verticals, each accounting for 20 percent of engagements. Threat actors and groups with varying motives and sophistication frequently targeted telecommunications organizations, continuing a trend where it was consistently a top-targeted industry vertical in 2022, according to Talos IR.  

Telecommunications companies are attractive targets due to their control over several critical infrastructure assets, serving as a gateway for adversaries to access other businesses, subscribers, or third-party providers. These organizations also have a large amount of customer data that is often targeted by financially motivated cybercriminals such as ransomware groups.   

Educational institutions are continuously targeted by cybercriminals due to vast amounts of personally identifiable student data, including financial and counseling records, as well as research institutes rich in intellectual property. Many education organizations have limited budgets devoted to cybersecurity, hampering defenses.      

**Web application targeting on the rise **

Attacks against web applications — and subsequent post-compromise activity — were the top-observed threat in Q3, accounting for 30 percent of engagements, a significant increase compared to the previous quarter. After gaining initial access, adversaries leveraged techniques such as launching web injection attacks, deploying web shells, and using commercial off-the-shelf frameworks such as Supershell, which deploys web shells to maintain access to a system. Talos IR is seeing a growing trend of adversaries leveraging advanced functionalities of various command and control (C2) frameworks, such as the newly observed Supershell C2 framework, to identify weaknesses in web servers and deploy web shells more easily. 

Supershell is a web-based management platform that allows attackers to remotely execute commands, manage compromised systems, and collaborate with multiple users. Before downloading Supershell, the attackers placed malicious XML inputs containing a reference to an external entity using XML external entity (XXE) injection attacks in hopes the web server had a misconfigured XML parser. Based on our analysis, Supershell appears to be designed for predominantly Chinese-speaking individuals as the tool is written for a Chinese-only web interface console. There is also a clear preference for Chinese in Supershell’s GitHub documentation, although an English-translated option exists.  

Although the development of recent frameworks that make the deployment of web shells easier benefits sophisticated adversaries, these frameworks may also reduce the barrier for entry for less sophisticated attackers. Given the growing trend of commercial off-the-shelf C2 frameworks within the last year, including Alchimist and Manjusaka, it is likely this trend will continue to play out as adversaries increasingly turn to adopt additional capabilities for performing web-based attacks. 

Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. Talos IR responded to an engagement where attackers uploaded several PHP web shells to an unpatched web server, demonstrating how threat actors commonly chain together web shells to build a more flexible toolkit. Within this cluster of activity, the attackers could not further carry out any post-compromise objectives due to the presence of a Web Application Firewall (WAF), highlighting the importance of implementing a WAF between public-facing servers and the Internet to help defend against these attacks.   

In several engagements this quarter, we observed adversaries leveraging Structured Query Language injection (SQLi) attacks, a technique in which adversaries enter SQL commands into an input field that does not use validation and sanitization. We increasingly see adversaries continue to use scanning frameworks to launch SQLi attacks. In one cluster of activity, Talos IR identified multiple SQLi attempts and more than 1,000 instances of SQLMap, an open-source utility often used to identify and exploit SQLi vulnerabilities. Adversaries also used a SQL injection module within Nessus, a proprietary vulnerability scanner, highlighting the threat actor’s intent on identifying SQLi vulnerabilities for expanded access.  

**Ransomware remains a threat **

Ransomware activity continued this quarter accounting for 10 percent of total IR engagements in Q3. We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements. 

LockBit was one of the most prevalent variants seen in Talos IR engagements since September 2022, consistent with a wide body of reporting calling LockBit one of the most active ransomware threats this year.  

Talos IR responded to a LockBit ransomware attack where the adversaries gained an initial foothold into the environment by compromising a valid contractor account. Once inside, attackers began dumping credentials from internal systems and were able to create an administrator account to elevate privileges and remain persistent in the environment. To evade detection, the attackers cleared the Windows event logs and disabled several security tools, including endpoint detection and response (EDR) and antivirus. LockBit established C2 channels via multiple methods, including the adversary simulation tool Cobalt Strike and the legitimate remote access software AnyDesk. The attackers modified domain policies to create a scheduled task that eventually executed the LockBit ransomware binary.  

Talos IR has previously observed BlackByte ransomware, but this quarter was the first time seeing the new variant, BlackByte NT. Unlike the former variants, this new variant (aka BlackByte 2.0) is written entirely in C++ and was discovered in May 2023. 

Talos IR observed the new BlackByte NT ransomware variant where the attackers initially compromised a valid account to gain access. Several accounts with administrator privileges were created in this engagement as well, showing ransomware actors’ reliance on account creation to escalate privileges and enable persistence. Attackers then used a combination of RDP, SSH, and Server Message Block (SMB) for lateral movement. Using the open-source Secure File Transfer Protocol (SFTP) tool WinSCP, adversaries exfiltrated data from the environment. Before encryption, the attackers cleared the Windows event logs to cover their tracks and deleted the shadow volume copies to inhibit system recovery, consistent with ransomware TTPs. Ransomware was propagated across the environment via SMB admin shares, a common distribution method also observed in ransomware attacks.   

**New ShroudedSnooper actor observed using custom backdoors **

This quarter also featured a new advanced persistent threat (APT) ShroudedSnooper targeting telecommunications firms in the Middle East. This activity is a continuation of a trend we have been monitoring over the past several years in which sophisticated actors are frequently targeting telecommunications organizations, a top-targeted industry vertical this quarter and throughout 2022, according to Talos IR. As part of this activity, ShroudedSnooper deployed two novel backdoor implants we dubbed “HTTPSnoop” and “PipeSnoop.” 

These backdoors interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. Talos IR observed DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, and specifically extended detection and response (XDR) agents, making detection challenging.  

**Initial vectors **

Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.   

**Security weaknesses **

Unpatched or misconfigured applications and a lack of multi-factor authentication (MFA) were tied to the top security weaknesses, each accounting for 40 percent of engagements. This activity aligns with the top two initial access vectors used by adversaries this quarter, including exploiting public-facing applications and abusing valid accounts. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts, such as employee, contractor and business partner accounts.   

Staying up-to-date with software updates on public-facing applications is a crucial aspect of an organization’s security posture. Attackers often exploit vulnerabilities to achieve post-compromise objectives, such as privilege escalation. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing critical vulnerabilities that pose the biggest threats to preventing exploitation.   

Misconfigurations can also leave organizations exposed regardless of an adversary’s intention. Talos IR frequently sees actors compromising systems that were misconfigured to be exposed publicly. Attackers often take the path of least resistance by leveraging vulnerabilities and exposures, highlighting that organizations need to be proactive in ensuring both systems and tools are configured properly.    

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the volume Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

*   Exploitation of public-facing applications was the top observed means of gaining initial access this quarter, accounting for 30 percent of total engagements.  
*   Attackers abused remote services, such as RDP, to move laterally in 25 percent of engagements. 
*   AnyDesk was observed in all ransomware and pre-ransomware engagements this quarter, underscoring its role in ransomware affiliates' attack chains.   
*   Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.   
*   In 25 percent of engagements this quarter, Talos IR observed attackers abusing scheduled tasks for continuous execution of malicious code to maintain persistence on an endpoint.    

Initial Access (TA0001)  

Example  

T1190 Exploit in Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet    

Execution (TA0002)  

Example  

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client’s Active Directory environment  

Persistence (TA0003)  

Example  

T1053.005 Scheduled Task / Job: Scheduled Task  

Scheduled tasks were created on a compromised server  

Defense Evasion (TA0005)  

Example  

T1134.002 Access Token Manipulation: Create Process with Token  

Attackers created a new process using the command “run as”  

Credential Access (TA0006)  

Example  

T1003.001 OS Credential Dumping: LSASS Memory  

Use “lsass.exe” for stealing password hashes from memory  

Lateral Movement (TA0008)  

Example  

T1021.001 Remote Services: Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop   

Command and Control (TA0011)  

Example  

T1219 Remote Access Software  

Remote access tools found on the compromised system    

Exfiltration (TA0010)  

Example  

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Using FTP for file exfiltration  

Impact (TA0040)  

Example  

T1486 Data Encrypted for Impact  

Deploy LockBit ransomware and encrypt critical systems

Attacks on web applications spike in third quarter, new Talos IR data shows

By Owais Sultan
Incident management software is crucial for efficiently handling and resolving unexpected incidents and disruptions, ensuring minimal downtime and…
This is a post from HackRead.com Read the original post: What Is Incident Management Software?

Incident management software is crucial for efficiently handling and resolving unexpected incidents and disruptions, ensuring minimal downtime and maximum productivity for organizations.

Incidents are bound to happen in business from time to time. They are events that disrupt operations and reduce the quality of service being rendered. The IT and customer service departments would use incident management to resolve the issue and restore the situation to normal.

In this article, we’ll discuss how incident management software can help a business respond to incidents much faster or step in to prevent such events from happening. 

**What is incident management software?**

Every company needs to have an incident management procedure that allows them to detect, diagnose, and fix any sudden occurrences quickly. Apart from having skilled and dedicated IT operations staff, you should also invest in incident management software.

It’s an application that helps to track, respond to, and resolve unplanned events and system downtime effortlessly. The software helps to centralize information, automate certain tasks, and make it easier to collaborate on fixing any incident in real-time. 

**Some examples of incidents that can occur suddenly and impact customers**

A business incident refers to any event that causes loss or disruption to the everyday flow of activities. Whether it was triggered internally or not, you have to address the issue before it gets out of hand. These incidents can range from minor inconveniences to major problems that may require more time and resources. Let’s see examples of incidents. 

*   **Technical glitches**

When a device or software isn’t working properly, it’s often considered to be a glitch. You may discover that internal systems are slowing productivity down or not responding as usual. Sometimes, customer touchpoints such as a website, e-commerce store, mobile apps, or payment gateways may develop faults and hinder operational flow.

*   **A disruption to your service**

These are incidents that affect the quality of products or services you’re offering. For example, an e-commerce store that can’t seem to stock in-demand products is likely to lose many customers. It’s also the same when a service provider is unable to provide the service as required. Such issues should be contained so you can stay in business. 

*   **An unplanned power outage**

If your business relies on power to run efficiently, you need to have a backup power source to keep operations going. For example, there can be a natural disaster that might cause a grid malfunction or power outage in your town. You need to have a contingency plan that allows your business to continue running in the face of such events. 

*   **A sudden flood of customer service calls**

There are certain moments when numerous customers would send requests and ask for support. It often occurs when customers are having difficulty with your product or service. The solution is to have reliable support software and experienced staff who can resolve the issues quickly.  

*   **A security breach**

When anyone gains unauthorized access to a company’s devices, network, or data, it’s regarded as an incident. The security breach may happen as a cyber threat or hacking and sensitive data is at risk of being copied or stolen. You need to prevent and know how to manage such situations. 

**What are the features of incident management software?**

An incident management software can help you mitigate the impact of a service disruption when unexpected events occur. It would help to communicate with affected users, perform root cause analysis, share information across teams, and work on restoring normal operations quickly. Here are some useful features of such software:

*   **Early detection to help pre-empt an incident**

It’s important to detect issues across your entire system before it’s too late and send alerts to team members. This ensures that everyone is aware of the problem and will work on fixing the matter as quickly as possible. Although customers can report issues by themselves, it’s best to monitor your systems and automatically detect any issues.

*   **Incident alerting that immediately notifies you of a problem.**

When several customers are complaining about the same issue, it means there’s an incident that needs to be sorted out. You can easily track incidents with a ticketing system that creates, tags, and routes support requests to agents. This would give agents a unified view of the tickets and let them know when a particular issue is affecting customers. 

*   **Analyzing and categorizing data according to the severity of the crisis**

The best part about incident management software is that it automatically gathers data on the situation. You can easily analyze customer complaints and know how severe the problem is. It can also help to trace, prevent, and have a contingency plan to keep such crises in check. You can also access the data to create an effective incident report. 

*   **Automatic escalation**

When the software detects an incident, it can escalate to a specialized team or higher-level support. This ensures that the right people are aware so they can resolve the incident and deal with any root causes that may have triggered it. You can define escalation policies so service agents can know when to route problems to the IT helpdesk team. 

**How can IT and customer support teams use incident management software to help restore normal operations quickly?**

To provide excellent customer service in your business, you should be able to manage incidents effectively. It’s a lengthy process that involves activities such as reporting, logging, troubleshooting, resolution, and assessments. Let’s see how incident management software can help teams to manage and resolve business incidents quickly. 

*   **Develop a crisis management plan**

You can create a solid incident management plan around such software. From early detection to communication to escalation, you can streamline the flow of activities to be done when a crisis happens when you least expect it. 

*   **Diagnose and investigate incidents early**

Incident management tools are meant to help you discover and understand everything about incidents. It can perform routine monitoring across your systems and track common complaints from your customers within a specific period. 

*   **Communicate and share information about the incident with agents and escalate to management.**

Customer service and IT helpdesk teams can collaborate on a central system. They can easily communicate about the issue, share any findings or thoughts, and escalate to those who are better equipped to handle such incidents. 

*   **Performing triage according to the severity of the crisis.**

A crisis management team needs to evaluate the incident to determine how severe it is, its potential causes, and the next steps to take. With proper examination, you’d be able to prioritize the incident and handle it with utmost urgency.

*   **Communicate and update customers as the incident progresses.** 

It’s necessary to inform customers of the incident and what is being done to restore normalcy. This helps them know that your company is working on the incident. You can also communicate resolution times or any temporary solutions.

*   **Incident resolution**

An incident management tool helps IT and support teams resolve incidents faster and more efficiently. It automates the process of logging, prioritizing, and escalating issues. It also allows communication with teams and customers. 

*   **Post-incident analysis to help you prevent a similar incident from occurring in the future.**

After an incident has been resolved, the company needs to analyze the entire situation and determine the root causes. The software helps to record resolution details, level of customer satisfaction, and prevention methods. 

****_RELATED ARTICLES_****

1.  What is Cloud Mining and How Does it Work?
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  What is the tokenization process and why it is so important?
4.  Cybersecurity risk assessment: Does Your Company Need It?
5.  Learning Management System: What is it and Why do you need it?
6.  What is Dark Web, Search Engines, What Not to Do on the Dark Web

What Is Incident Management Software?

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission.  IBM X-Force ID:  256020.

CVE-2023-33837: Security Bulletin: IBM Security Verify Governance is affected by multiple vulnerabilities

The top 10 priorities of state CIOs underscore the importance of securing applications and APIs in complex environments.

The US National Association of State Chief Information Officers (NASCIO) released its set of State CIO Top Ten Policy and Technology Priorities for 2023 back in December 2022. I'd like to examine these priorities now as they relate to developing, delivering, and securing the applications and application programming interfaces (APIs) that help make state and local governments run — as well as how the complexity of hybrid and multicloud environments factors into the priorities.

**1\. Cybersecurity and Risk Management**

Over time, infrastructure has become significantly more complex and distributed. Most enterprises, including state and local governments, are managing hybrid and multicloud environments. By exposing more touch points, these more complex environments create an expanded threat landscape. State and local governments face intense pressure to continue improving their applications and APIs. However, this fast pace of innovation opens up the potential for vulnerabilities and security issues and necessitates protecting those applications and APIs. Thus, it is no surprise that cybersecurity and risk management are this year's top priority.

**2\. Digital Government/Digital Services**

Now more than ever, state and local governments are tasked with providing digital services to their citizens. Ensuring that services are provided to the appropriate and intended individuals is of the utmost importance. So is ensuring that digital services give citizens the best possible experience. This requires simplifying and optimizing how environments in which we deploy our applications and APIs are managed, as well as having those environments perform properly. Simplifying complexity improves security by removing the potential for human error, as does ensuring that APIs are served to the right citizens in a timely manner.

**3\. Workforce**

New environments require new skills. As state and local government infrastructures have evolved, so have the skills required to manage, operate, maintain, and secure them. This means training the workforce and equipping workers for today's challenges — including securing hybrid and multicloud environments and detecting, analyzing, and responding to security incidents wherever they occur, even in one or more cloud environments.

**4\. Legacy Modernization**

The migration of some applications and APIs to hybrid and multicloud environments has become an integral part of legacy modernization. As states and local governments go through these modernization efforts, their cloud strategies have been and will remain an important piece of the overall picture. Environments will need to be properly secured as they are modernized, regardless of where those environments reside.

**5\. Identity and Access Management**

Applications and APIs connect to (and potentially expose) back-end systems and data. In many cases, they are also the public face of the enterprise. As such, properly controlling access to applications and APIs is a significant challenge for any enterprise, including state and local governments. While identity and access management (IAM) is a broad topic, it has specific applicability to applications and APIs running in hybrid and multicloud environments.

**6\. Cloud Services**

As noted above in point 4, cloud strategy is an important piece of the overall picture within state and local governments. Citizens have grown to expect services to be delivered quickly and efficiently. They also expect significant innovation. This has necessitated that state and local governments move quickly and adapt. Such nimbleness is a key component of any cloud strategy, and an organization's cloud security efforts need to be equally nimble.

**7\. Consolidation/Optimization**

Simplifying and optimizing the management, operations, maintenance, and security of a variety of environments remains an important priority for two main reasons: In many enterprises, entire teams are dedicated to operating and maintaining infrastructure, development, security, and other technology stacks at each different environment. As the number of environments grows, this approach does not scale (it is an _n_\-squared problem, for those who enjoy algorithms).

In addition, as the saying goes: Complexity is the enemy of security. The complexity that hybrid and multicloud environments introduce makes it difficult to universally and consistently apply security policies. It also opens up the potential for human error and oversights that can lead to vulnerabilities. Simplifying this complexity by consolidating and centralizing the management of different environments becomes a necessity.

**8\. Data and Information Management**

Properly securing APIs, which expose back-end systems and data, is an essential piece of protecting data. API security includes a variety of important topics, including ensuring APIs conform to security policy and schema requirements.

While API security is a big focus area, so is API discovery. After all, if an API is not known, it can't be properly inventoried, managed, and secured. When thinking about data and information management, it is important to consider the security of APIs as an important part of that.

**9\. Broadband/Wireless Connectivity**

Part of providing services to citizens involves bringing state and local networks closer to the constituents. Efforts to improve broadband and wireless connectivity have many moving parts, and cloud and edge environments play a role in these efforts. Protecting those networks from unauthorized access is paramount to security.

**10\. Customer Relationship Management**

Citizens have come to expect that state and local governments will provide services within acceptable time frames. This requires serving applications and APIs quickly and efficiently. Service-level agreements (SLAs) will need to be met. A well-designed cloud security strategy is an essential part of achieving these goals and properly managing the relationship with citizens.

**In Short: Applications Are Key**

State and local government CIOs and their teams face no shortage of challenges. Generally, there are more issues needing attention than there are resources to do them. As such, simplifying the management, operations, maintenance, and security of complex environments becomes key.

In the era of hybrid and multicloud environments, state and local governments will generally see good returns on investments by more efficiently and effectively developing, delivering, and securing the applications and APIs that help make state and local governments run.

How State and Local Governments Can Serve Citizens More Securely

A spoofed version of an Israeli rocket-attack alerting app is targeting Android devices, in a campaign that shows how cyber-espionage attacks are shifting to individual, everyday citizens.

Using a trending item as a malicious lure is relatively common; to do it in a period of military conflict and deliberately target users in the affected region is a different step.

Recently, a genuine app — RedAlert - Rocket Alerts — has been popular among users in the Israel and Gaza region, since it allows individuals to receive timely and precise alerts about incoming airstrikes. However, a malicious, spoofed version of the app was detected last week, which collected personal information including access to contacts, call logs, SMS, account information, and an overview of other installed apps.

This and the discovery of a similar incident indicates that unfortunately, the Israel-Hamas conflict's cybercrimes will extend beyond nation-state attacks on critical infrastructure — and into the palm of the user's hand.

**The Initial Malicious App**

According to the discovery by Cloudflare, the website hosting the malicious file was created on Oct. 12, and it has been taken offline since. Only those users who installed the Android version of the app are impacted, and they are urgently advised to delete the app.

A statement from Cloudflare said it became aware of a website hosting a Google Android Application that impersonated the legitimate RedAlert - Rocket Alerts application. "Given the current climate in Israel, this application is heavily relied upon by individuals living in the country to be notified when it is critical to seek safety," it said.

The creation of a malicious app spoofing a known brand is common, according to a recent report from Arctic Wolf, which said malicious apps found in official app stores are often disguised with the use of names, images, or descriptions similar to popular or malware-free apps. They also may have fake reviews to help increase the malicious app's rating and to make them look more realistic.

But in this case, the malicious application mimicked a widely used app to steal data, in what Cloudflare called "a time of distress" where services such as this are replied upon, adding that this is "another example of threat attackers leveraging authenticity to carry out impactful attacks."

Casey Ellis, founder and CTO of Bugcrowd, says he does expect to see more cases like this where the Gaza conflict is used as a malware lure — both regionally and globally.

"Attackers are always on the lookout for events that create fear, uncertainty, and a volatile information environment, and the Israel-Hamas conflict definitely meets these criteria," he says.

Cloudflare was unable to add attribution to whoever was behind this malicious app, and there is no evidence that this was even a threat actor from the Middle East. So this could be the work of an unrelated cybercriminal looking to use the conflict for their malicious gain.

**More Than One Incident**

In a separate detection, Cloudflare said the pro-Palestinian hacktivist group AnonGhost exploited a vulnerability in another application, Red Alert: Israel. This allowed the group to intercept requests, expose servers and APIs, and send fake alerts to some app users, including a message that a nuclear bomb strike was imminent.

In its detection of that incident, Group-IB Threat Intelligence said this shows that the actions of attackers can be diverse, as hacktivists are generally associated with conducting small-scale DDoS attacks and defacement. But as the ongoing conflict shows, sometimes their actions can be far more devastating and costly, and "it's essential to map and properly mitigate the risk of hacktivism as part of a threat intelligence program."

Krishna Vishnubhotla, vice president of product strategy at Zimperium, says spoofing mobile apps is easy, as many app teams are inadvertently giving threat actors a blueprint for abuse.

He says, "App teams focus on code optimization and speed to market, but never ensure sufficient threat visibility and protection for their apps once they are published. Threat actors know this and use reverse engineering to truly understand an app's inner workings."

Vishnubhotla adds, "Knowing an application's architecture, data flow, and security mechanisms allows a hacker to easily create spoofed apps."

**Be Careful With Clicks**

The advice to avoid becoming victimized by these types of attacks is fairly straightforward. Arctic Wolf recommend checking the app's developers and reviews, restricting permissions when necessary; users should download apps only from reputable developers and look for mentions of scams or malicious activity mentioned in reviews by other users.

The advice from Group-IB was for organizations to carefully examine and fortify all Web-facing applications, as "it's not uncommon for hacktivists to exploit web and mobile APIs, often perceived as softer targets compared to the principal product APIs."

Ellis admits his advice on protection from malicious apps — saying users should trust, but verify — is nothing groundbreaking, but it persists for a reason.

"Double-check before you trust anything that offers to assist you in issues of personal safety, and triple-check before you share it with others," he says. He acknowledges that in this case, the malicious apps were downloaded by people in a state of concern and potentially without the due consideration they would usually give to vetting them.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile

By Waqas
The feature is called IP Protection, and it's important to note that it is not a VPN. A VPN encrypts all of a user's traffic, while IP Protection only masks their IP address.
This is a post from HackRead.com Read the original post: Google Chrome to Mask User IP Addresses to Protect Privacy

Google is apparently working on a new Chrome browser feature called IP Protection, set for release in early 2024. This feature routes users’ internet traffic through a proxy server to hide their IP addresses

Google is developing a new feature for its **Chrome browser** called IP Protection, which will mask users’ IP addresses to protect their privacy. This feature is currently in development and is expected to be released to the public in early 2024.

IP Protection works by routing users’ traffic through a **proxy server**, which hides their real IP address from the websites and online services they visit. This can help prevent websites and online services from tracking users’ online activity and creating detailed profiles of them.

As seen **here**, the plan to conduct experiments was officially revealed on October 19th, along with an initial set of domains designated for proxying. Initially, requests to Google-owned domains will exclusively be directed through Google-owned proxies.

The feature can also help prevent users from being blocked from accessing websites or online services that are not available in their region.

It is worth noting that, IP Protection is an opt-in feature, therefore users will have the choice of whether or not to use it. It is also important to note that IP Protection is not a VPN. **A reliable VPN encrypts** all of a user’s traffic, while IP Protection only masks their IP address.

****Benefits of Using IP Protection****

There are several potential benefits to using IP Protection, including:

*   **Increased privacy:** IP Protection can help to protect users’ privacy from websites and online services that track users’ IP addresses. This can make it more difficult for these websites and services to create detailed profiles of users’ online activity.

*   **Improved security:** IP Protection can help to improve users’ security by preventing them from being tracked by malicious websites and online services. It can also help to prevent users from being blocked from accessing websites or online services that are not available in their region.

*   **Better performance:** In some cases, IP Protection can improve users’ internet performance by reducing the distance that their traffic has to travel.

****Potential** **Drawbacks of Using IP Protection****

There are also some potential drawbacks to using IP Protection, including:

*   **Reduced functionality:** Some websites and online services may not work properly when users are using IP Protection. This is because these websites and services may rely on users’ IP addresses to provide certain features or functionality.

*   **Increased bandwidth usage:** IP Protection can increase users’ bandwidth usage because their traffic is being routed through a proxy server.

*   **Decreased privacy:** While IP Protection can help to protect users’ privacy from websites and online services, it is important to note that the proxy servers used by IP Protection are operated by Google. This means that Google will be able to see users’ traffic, even if it is masked.

Overall, IP Protection is a promising new feature that can help to improve users’ privacy and security online. However, it is important to be aware of the potential drawbacks before using it.

****IP Protection as a Step Towards a More Privacy-Respecting Web****

IP Protection is just one of many steps that Google and other tech companies are taking to make the web more privacy-respecting. Other initiatives include phasing out third-party cookies and limiting fingerprinting, a feature that was introduced in the Mozilla Firefox browser **back in 2019**.

These initiatives are important because the web has become increasingly invasive in recent years. Websites and online services often collect vast amounts of data about users, including their IP addresses, browsing history, and purchase history. This data is then used to track users across the web and **target them with advertising**.

IP Protection and other privacy-enhancing features can help to give users more control over their privacy online. By masking users’ IP addresses and limiting fingerprinting, these features can make it more difficult for websites and online services to track users and create detailed profiles of them.

As more and more users adopt privacy-enhancing features, the web will become a more private place for everyone. This is a positive development for users and for the internet as a whole.

****_RELATED ARTICLES_****

1.  Google Makes Passkeys Default for All Users
2.  What is an OSINT Tool – Best OSINT Tools 2023
3.  Google offers Dark Web monitoring for US Gmail users
4.  Google’s Latest Android Feature Drop: Dark Web Search for Gmail ID
5.  Encrypted Email Service ProtonMail Now Supports Physical Security Keys

Google Chrome to Mask User IP Addresses to Protect Privacy

Debian Linux Security Advisory 5531-1 - It was discovered that roundcube, a skinnable AJAX based webmail solution for IMAP servers, did not properly sanitize HTML messages. This would allow an attacker to load arbitrary JavaScript code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5531-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondOctober 23, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : roundcubeCVE ID         : CVE-2023-5631Debian Bug     : 1054079It was discovered that roundcube, a skinnable AJAX based webmailsolution for IMAP servers, did not properly sanitize HTMLmessages. This would allow an attacker to load arbitrary JavaScriptcode.For the oldstable distribution (bullseye), this problem has been fixedin version 1.4.15+dfsg.1-1~deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.6.4+dfsg-1~deb12u1.We recommend that you upgrade your roundcube packages.For the detailed security status of roundcube please refer toits security tracker page at:https://security-tracker.debian.org/tracker/roundcubeFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmU2FhEACgkQEL6Jg/PVnWTgbQf/T08r3SQ/NFUpzs1/8k+euPOyysNFnW7JZ1LcI+ug5iF8RrdEVVuURZHK7i/SuRNomgEQbUyVpgSb9rb6z5qkc0k6gbfh2+KMRk0ViHhG1+tuEe1O99abXt+5LUQNtXWVMAniWWdbtdQeCBHWgxMpstarWq4akgCnx1Dj7Tj8PyX05+bYFpR79WMqCKypX4lz1kP8U3U5c0tPDi/zjuzGT1IvVSyWPesaNHzmD4ZMr9A/dcDBtxQ+kTaPN3GVPJoDG9TVOcHQTqcb2MmTQY5FtvQswVCXiEsugbmgOQ4wiUYlV90C8s4ALSxBBiv+mOUCKZH/mNNjNeHKADW+nOkOeg===TSzb-----END PGP SIGNATURE-----

Debian Security Advisory 5531-1

Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated context.







CVE-2021-26734

By Owais Sultan
Installing Microsoft Exchange Updates can be a challenging task, as it may lead to various issues in the…
This is a post from HackRead.com Read the original post: How to Install Microsoft Exchange Updates with Reliability

Installing Microsoft Exchange Updates can be a challenging task, as it may lead to various issues in the process, such as compatibility problems, data loss, service disruptions, security vulnerabilities, update failures, dependency conflicts, or backup and recovery challenges.

There are several things that can go wrong when installing Cumulative Updates (CU) or Security Updates on your Exchange Server. You may encounter issues during and after installation or even the installation of updates may fail or stop.

The installation of updates could be hindered due to underlying issues with the operating system, damaged hardware, incorrect network configuration, conflict with third-party applications, corrupted updates, or human errors. In this article, we will be going through the things that you can do to prevent issues when installing updates and how to resolve issues (if occur) as fast as possible and with no data loss.

****Prerequisites before Installation****

To avoid any issues during updates installation, you need to first identify the currently installed version of the Cumulative Updates on your server. For this, you can use the Get-ExchangeServer command as given below.

Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion

This will give information about the version of the Exchange Server installed, along with the build number. On the Exchange Server updates download page, you can check the version you are downloading and confirm the installation matrix compatibility. Sometimes, you need to hop to a specific version before installing the latest one.

Before downloading the updates, it’s important to double-check with your Exchange Server consultant or supplier that you are installing the right update.

****Read the release notes****

It’s important to read the notes to know about any known issues, restrictions, or other information which is crucial for installing your update. There might be possible solutions to known issues while installing the update in question. Although it might be an administrative burden, you must check the release notes before installing the updates.

****Installing the Updates****

You should not rush through any installation or confirmation. All things must be documented and audited. This will help in troubleshooting if something goes wrong. Such documents help find out where the problem is. If you would involve your supplier or Microsoft support, then this will help them to resolve the problem easily.

Cumulative Updates take time to install, depending on the performance of the server. Ideally, you should restore a copy of the server in a sandbox environment and install the updates to test it if you have a single Exchange Server. If you have a Database Availability Group (DAG), you should first install the updates on the passive server. After a week of testing and ensuring that nothing was broken, you can go ahead and install them on the live server. 

****Ensure Redundancy****

When installing updates or changing the configuration of your environment, you should always have a failover plan. If you have a single instance of the server, you might consider testing the daily backup and performing a restore test to ensure that you can roll back if something happens.

If you have a Database Availability Group (DAG) with two or more servers, you need to make sure that the failover process is functioning properly and that the replication of databases is healthy.

Although it might not always be possible, it is highly recommended to take a backup before installing the updates or making any changes.

****Contingency Plan****

There is always a contingency plan before proceeding with the installation. In case the installation fails, there should be a set of instructions that need to be followed to recover from such a situation, such as:

*   Who to inform
*   Who to engage
*   What is to be done
*   Data loss parameters

****What to do if something goes wrong during or after the update installation?****

As mentioned, there are a lot of things that could go wrong when installing Cumulative Updates (CU), Security Updates (SU), or making any other changes to your infrastructure. If power is lost during the installation, storage is full, or an antivirus scan is executed, then these things can put the database in a dirty shutdown state and possibly corrupt the database or transaction logs. The Exchange Server will not boot or the Exchange Server services will not start due to corrupt installation files. In such situations, you can do the following:

****1\. Restore the Server from Backup****

You can restore the server from backup. This will easily resolve the problem. However, if there were any changes during the installation, then these will be lost. 

****2\. Rebuild the Server and Recover the Data****

The other option is to rebuild the Exchange Server. As all the configuration of the Exchange Server is in the Active Directory Schema, installing the server with the recovery mode and keeping the same IP Address and computer name will help recover the services.

To recover the data from corrupted databases or transaction logs, you can take the help of a specialized Exchange server recovery tool, like Stellar Repair for Exchange. This tool can open any version of an EDB file and in any state. It allows you to granularly export the data from the EDB file directly to a live mailbox database on your rebuilt Exchange Server while ensuring no data loss. The application can also export the EDB data to PST and other file formats.

****Conclusion****

Ensure a smooth Exchange Server update process involves thorough preparation, documentation, testing, and having contingency plans in place. Adhering to the best practices outlined in this article will significantly help you to avoid issues and minimize the impact of any problems that may arise during or after Cumulative Updates (CU) or Security Updates.

1.  Software Review: Stellar Repair for Exchange
2.  How to Create ISO Files from Discs – 3 Best Ways
3.  How to Remove Duplicate Lines in EmEditor (2023)
4.  How to configure cPanel and WHM Panel on your VPS
5.  How to Hide Tables in SQL Server Management Studio
6.  Microsoft’s Windows File Recovery tool recovers your lost data
7.  PDF Security – How To Keep Sensitive Data Secure in a PDF File
8.  MySQL Performance Tuning: Top 5 Tips for Blazing Fast Queries
9.  How to Craft Rich Data-Driven Infographics with Powered Template
10.  5 Common Database Management Challenges & How to Solve Them
11.  Stellar Data Recovery Professional – Most user-friendly data recovery software

How to Install Microsoft Exchange Updates with Reliability

The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_custom_body_class' value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')**

CVE

CVE-2023-5205

CVSS

6.4 (Medium)

Publicly Published

October 20, 2023

Last Updated

October 21, 2023

Researcher

Francesco Carlucci  

**Description**

The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add\_custom\_body\_class' value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

**References**

*   plugins.trac.wordpress.org

**Share**

**1 affected software package**

Software Type

Plugin

Software Slug

add-custom-body-class (view on wordpress.org)

Patched?

No

Remediation

No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.

Affected Version

*   <= 1.4.1

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

All the threat data shared in this database is powered by **Wordfence Intelligence Enterprise**.  
Interested in integrating this data into your platform or network?  
Contact us now to discuss API access to our Wordfence Intelligence Enterprise Data Feeds.

Inquire Now

Want to get notified of the latest vulnerabilities that may affect your WordPress site?  
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

Tag

#perl