**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

130.0.2849.46

10/17/2024

130.0.6723.59

CVE-2024-43578: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2024-43587: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2024-43566: Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?**

An attacker would have to send the victim a malicious file that the victim would have to execute.

CVE-2024-43577: Microsoft Edge (Chromium-based) Spoofing Vulnerability

A MOIS-aligned threat group has been using Microsoft Exchange servers to exfiltrate sensitive data from Gulf-state government agencies.

Source: Daniren via Alamy Stock Photo

An Iranian threat actor has been ramping up its espionage against Gulf-state government entities, particularly those within the United Arab Emirates (UAE).

APT34 (aka Earth Simnavaz, OilRig, MuddyWater, Crambus, Europium, Hazel Sandstorm) is a group that has been previously tied to the Iranian Ministry of Intelligence and Security (MOIS). It's known to spy on high-value targets in major industries across the Middle East: oil and gas; finance; chemicals; telecommunications; other forms of critical infrastructure; and governments. Its attacks have demonstrated a sophistication befitting its targets, with suites of custom malware and an ability to evade detection for long periods of time.

Recently, Trend Micro has observed a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, most notably within the UAE. These newer cases have featured a new backdoor, "StealHook," which uses Microsoft Exchange servers to exfiltrate credentials useful for escalating privileges and performing follow-on supply chain attacks.

**APT34's Latest Activity**

Recent APT34 attacks have begun with Web shells deployed to vulnerable Web servers. These Web shells allow the hackers to run PowerShell code, and download or upload files from or to the compromised server.

One tool it downloads, for example, is ngrok, legitimate reverse proxy software for creating secure tunnels between local machines and the broader Internet. APT34 weaponizes ngrok as a means of command-and-control (C2) that tunnels through firewalls and other network security barricades, facilitating its path to a network's Domain Controller.

"One of the most impressive feats we've observed from APT34 is their skill in crafting and fine-tuning stealthy exfiltration channels that allow them to steal data from high profile sensitive networks," notes Sergey Shykevich, threat intelligence group manager at Check Point Research, which recently uncovered an APT34 espionage campaign against Iraqi government ministries. In its prior campaigns, the group has mostly secured its C2 communications via DNS tunneling and compromised email accounts.

To obtain greater privileges on infected machines, APT34 has been exploiting CVE-2024-30088. Discovered through the Trend Micro Zero Day Initiative (ZDI) and patched back in June, CVE-2024-30088 allows attackers to gain system-level privileges in Windows. It affects multiple versions of Windows 10 and 11, and Windows Server 2016, 2019, and 2022, and received a "high" severity 7 out of 10 score in the Common Vulnerability Scoring System (CVSS). That rating would've been higher, but for the fact that it requires local access to a system, and isn't simple to exploit.

APT34's best trick, though, is its technique for abusing Windows password filters.

Windows allows organizations to implement custom password security policies — for example, to enforce good hygiene among users. APT34 drops a malicious DLL into the Windows system directory, registering it like one would a legitimate password filter. That way, if a user changes their password — a good cybersecurity practice to do often — APT34's malicious filter will intercept it, in plaintext.

To complete its attack, APT34 calls on its newest backdoor, StealHook. StealHook retrieves domain credentials that allow it into an organization's Microsoft Exchange servers. Using the targeted organization's servers and stolen email accounts, the backdoor can now exfiltrate stolen credentials and other sensitive government data via email attachments.

**Follow-On Risks of APT34 Attacks**

"The technique of abusing Exchange for data exfiltration and C&C is very effective and hard to detect," says Mohamed Fahmy, cyber threat intelligence researcher at Trend Micro. "It has been used for years in \[APT34's\] Karkoff backdoor, and most of the time it evades detection."

Besides exfiltrating sensitive account credentials and other government data, APT34 has also been known to leverage this level of access in one organization to carry out follow-on attacks against others tied to it.

For some time now, Fahmy says, the threat actor has "fully compromised a specific organization, and then used its servers to initiate a new attack against another organization (having a trust relationship with the infected one). In this case, the threat actor can leverage Exchange to send phishing emails."

He adds that government agencies in particular often relate to one another closely, "so the threat actor could compromise this trust."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Iran's APT34 Abuses MS Exchange to Spy on Gulf Gov'ts

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.
The vulnerability, tracked as CVE-2024-9486 (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.
"A security issue

Vulnerability / Kubernetes

A critical security flaw has been disclosed in the Kubernetes Image Builder that, if successfully exploited, could be abused to gain root access under certain circumstances.

The vulnerability, tracked as **CVE-2024-9486** (CVSS score: 9.8), has been addressed in version 0.1.38. The project maintainers acknowledged Nicolai Rybnikar for discovering and reporting the vulnerability.

"A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process," Red Hat's Joel Smith said in an alert.

"Additionally, virtual machine images built using the Proxmox provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access."

That having said, Kubernetes clusters are only impacted by the flaw if their nodes use virtual machine (VM) images created via the Image Builder project with the Proxmox provider.

As temporary mitigations, it has been advised to disable the builder account on affected VMs. Users are also recommended to rebuild affected images using a fixed version of Image Builder and redeploy them on VMs.

The fix put in place by the Kubernetes team eschews the default credentials for a randomly-generated password that's set for the duration of the image build. In addition, the builder account is disabled at the end of the image build process.

Kubernetes Image Builder version 0.1.38 also addresses a related issue (CVE-2024-9594, CVSS score: 6.3) concerning default credentials when image builds are created using the Nutanix, OVA, QEMU or raw providers.

The lower severity for CVE-2024-9594 stems from the fact that the VMs using the images built using these providers are only affected "if an attacker was able to reach the VM where the image build was happening and used the vulnerability to modify the image at the time the image build was occurring."

The development comes as Microsoft released server-side patches three Critical-rated flaws Dataverse, Imagine Cup, and Power Platform that could lead to privilege escalation and information disclosure -

*   **CVE-2024-38139** (CVSS score: 8.7) - Improper authentication in Microsoft Dataverse allows an authorized attacker to elevate privileges over a network
*   **CVE-2024-38204** (CVSS score: 7.5) - Improper Access Control in Imagine Cup allows an authorized attacker to elevate privileges over a network
*   **CVE-2024-38190** (CVSS score: 8.6) - Missing authorization in Power Platform allows an unauthenticated attacker to view sensitive information through a network attack vector

It also follows the disclosure of a critical vulnerability in the Apache Solr open-source enterprise search engine (CVE-2024-45216, CVSS score: 9.8) that could pave the way for an authentication bypass on susceptible instances.

"A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path," a GitHub advisory for the flaw states. "This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing."

The issue, which affects Solr versions from 5.3.0 before 8.11.4, as well as from 9.0.0 before 9.7.0, have been remediated in versions 8.11.4 and 9.7.0, respectively.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Kubernetes Image Builder Vulnerability Exposes Nodes to Root Access Risk

October Linux Patch Wednesday. There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel. 5 vulnerabilities with signs of exploitation in the wild: 🔻 Remote Code Execution – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks🔻 Remote Code Execution – Mozilla Firefox (CVE-2024-9680) […]

**October Linux Patch Wednesday.** There are 248 vulnerabilities in total. Of these, 92 are in the Linux Kernel.

5 vulnerabilities with signs of exploitation in the wild:

🔻 **Remote Code Execution** – CUPS (CVE-2024-47176) and 4 more CUPS vulnerabilities that can also be used to enhance DoS attacks  
🔻 **Remote Code Execution** – Mozilla Firefox (CVE-2024-9680)

For 10 vulnerabilities there are no signs of exploitation in the wild yet, but exploits exist. Among them, the following can be highlighted:

🔸 **Remote Code Execution** – Cacti (CVE-2024-43363)  
🔸 **Elevation of Privilege** – Linux Kernel (CVE-2024-46848)  
🔸 **Arbitrary File Reading** – Jenkins (CVE-2024-43044)  
🔸 **Denial of Service** – CUPS (CVE-2024-47850)  
🔸 **Cross Site Scripting** – Rollup JavaScript module (CVE-2024-47068)

🗒 Vulristics October Linux Patch Wednesday Report

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

October Linux Patch Wednesday

But the time when quantum computers pose a tangible threat to modern encryption is likely still several years away.

Source: funtap via Shutterstock

Researchers at China's Shanghai University have demonstrated how quantum mechanics could pose a realistic threat to current encryption schemes even before full-fledged quantum computers become available.

The researchers' paper describes how they developed a working RSA public key cryptography attack using D-Wave's Advantage quantum computer. Specifically, the researchers used the computer to successfully factor a 50-bit integer into its prime factors, thereby giving them a way to derive private keys for decryption.

**Significant Development**

Security researchers who have taken a look at the report generally don't consider the demonstration as posing any current threat to modern encryption systems, which typically use 2048-bit — or sometimes even larger — keys. Breaking these 2048-bit keys still remains computationally unfeasible, and the new research has not changed that fact.

What it does show, however, is the potential for quantum approaches to crack modern cryptography in a way that researchers have not considered before.

"Realistically, achieving the computational power necessary to break RSA-2048 encryption — which requires around 10,000 stable, error-corrected qubits — remains at least a few years away, given current technological limitations," says Avesta Hojjati, head of R&D at DigiCert.

But the Chinese research demonstrates significant progress in exploiting cryptographic weaknesses through specialized quantum techniques, rather than full-fledged universal quantum computers, Hojjati says. "It effectively illustrates that advancements in niche quantum methods could pose earlier, smaller-scale cryptographic risks, emphasizing a gradual rather than immediate progression toward large-scale quantum threats."

Almost everyone agrees the arrival of quantum computers in the next few years will completely undermine the protections of modern cryptography. They perceive quantum computers as easily breaking even the strongest current encryption protocols with their enormous computing power. Stakeholders, including governments, hardware makers, software developers, cloud service providers, and enterprises, all foresee the need for new quantum-resilient cryptography standards to protect against the threat and are collectively working toward developing those standards.

**A Different Approach to an Old Challenge**

One reason the Chinese research has attracted considerable attention is because it takes a different approach to harnessing quantum mechanisms for cryptography. Specifically, it involves a quantum approach called quantum annealing, which typically has been applied in processes like optimization and sampling, but not so much in factorization. A lot of the research around the implications of quantum computing on cryptography has instead focused on gate-based quantum computing. "D-Wave's quantum annealing, operating with fewer qubits than projected universal quantum computers for large-scale cryptography, succeeded in factoring with greater efficiency," Hojjati says. "By reimagining RSA's integer factorization as an optimization problem, the researchers showcase quantum annealing's potential to exploit cryptographic vulnerabilities ahead of the availability of universal quantum computers."

Rahul Tyagi, CEO of SECQAI, says the significance of the Chinese research lies in its innovative approach to quantum computing. It offers fresh insight beyond the well-explored paths of algorithms that are tailored to gate-based quantum computers. "The research emphasizes the importance of considering other computing paradigms, such as D-Wave, which may be better suited for certain types of algorithmic approaches," Tyagi says.

Importantly, this research does not appear to compromise existing cryptographic systems. It seems instead to present optimizations of existing methods while suggesting new ideas and approaches. "Ultimately, any research into new attack vectors is valuable, and this paper underscores the need to look beyond conventional methods and consider the broader quantum computing landscape."

Like Hojjati, Tyagi perceives significant advancements still remain before quantum computers break open encryption mechanisms. And that will likely take years. In the meantime, organizations should remain proactive by investing in quantum-resistant technologies and continuously updating their security protocols. From an academic perspective, the key question is how to redesign known attack vectors to exploit this emerging heterogeneous landscape of computational capabilities, Tyagi adds.

For the moment, what organizations must do is understand their own infrastructure, and establish what cryptography is being used and where. "Systems with a lifetime of 10 years or more need to be migrated ASAP to quantum-resilient encryption," Tyagi says. "Anything with a four-year time horizon is probably OK for now — however, a long-term road map needs to be created to define when the migration needs to occur."

Hojjati recommends that organizations enable visibility into current encryption practices so they can identify vulnerable algorithms and create pathways for swift transitions to quantum-safe options. "By developing crypto agility now," he advises, "organizations can efficiently deploy quantum-resistant encryption as standards evolve, reducing long-term risks and minimizing disruption."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Chinese Researchers Tap Quantum to Break Encryption

An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-37gm-h5wr-pf25: Path traversal in redaxo

PRESS RELEASE

SAN FRANCISCO, Oct. 16, 2024 /PRNewswire/ -- Bugcrowd, the leader in crowdsourced cybersecurity, today released its annual Inside the Mind of a Hacker 2024 report, which analyzed responses from 1,300 hackers, also known as ethical hackers and security researchers on the Bugcrowd Platform. This report provides a comprehensive overview of the hacking community and their perspectives on topics at the forefront of cybersecurity.

AI adoption and integration has continued its rapid momentum within the hacking community. Nevertheless, it continues to pose both benefits and unfortunate cyber risks. According to the report, 82% of hackers believe that the AI threat landscape is evolving too fast to adequately secure.

AI is the new attack vector

This year's report revealed a significant shift in the perceived value of AI in hacking compared to the previous year. While only 21% of hackers believed that AI technologies enhance the value of hacking in 2023, 71% reported it to have value in 2024. Additionally, hackers are increasingly using generative AI solutions, with 77% now reporting the adoption of such tools—a 13% increase from 2023.

While the use and value of AI solutions among hackers have increased, the 2024 report reaffirms that hackers believe AI has limitations. This year's survey revealed that only 22% of hackers believe that AI technologies outperform human hackers, and only 30% believe that AI can replicate human creativity. These results are consistent with those of the 2023 survey.

"There is no denying that AI remains a strong force within the hacking community, changing the very strategies hackers are using to find and report vulnerabilities," says Dave Gerry, CEO of Bugcrowd. "Bugcrowd is in a privileged position to work with a creative, forward-thinking community that thrives on the cutting edge of cybersecurity. Celebrating hackers is part of the core of what we do at Bugcrowd, and these insights can help businesses understand the unique value this community brings to fighting against today's AI-driven cyberattacks."

Key findings from the survey include the following:

*   93% of hackers agree that companies using AI tools have created a new attack vector
    
*   82% believe that the AI threat landscape is evolving too rapidly to be effectively secured from cyberattacks
    
*   86% believe that AI has fundamentally changed their approach to hacking
    
*   74% agree that AI has made hacking more accessible, opening the door for newcomers to join the fold
    
*   Despite these threats, 73% of hackers reported being confident in their ability to uncover vulnerabilities in AI-powered apps
    

These findings point towards the need for hackers in an organization's defense against today's cyberattacks. Although AI is introducing a new attack vector, the majority of hackers still report confidence in their ability to uncover these vulnerabilities, emphasizing the need for organizations to lean on human ingenuity alongside security tooling.

The Rise of Hardware Hacking

The report illuminated the rise of a surprising trend: the increasing prominence of hardware hacking. In the past 12 months, 81% of hardware hackers encountered a new vulnerability they had never seen before, and 64% believe that there are more vulnerabilities now than a year ago. Additionally, in response to the rise of AI, 83% of hardware hackers are now confident in their ability to hack AI-powered hardware and software, indicating a new potential avenue for exploitation. While those familiar with the field may recognize this growing threat, only 33% of hackers in general identified hardware hacking as one of the most valuable specialties. However, there is a low barrier to entry, with 80% of hardware hackers being self-taught.

"Hardware hacking, or the exploitation of vulnerabilities in the physical components of electronic devices, was once considered a specialized field," says Michael Skelton, VP of Security Operations at Bugcrowd. "However, the proliferation of inexpensive, vulnerable smart devices has increased interest in hardware hacking among both ethical hackers and cybercriminals."

A Career Path for a New Generation

This year's survey results also emphasized hacking as a viable and strong career path, particularly for younger generations. Of the respondents, 88% were between the ages of 18 and 34. Additionally, 67% indicated that they are either hacking full-time or actively trying to pursue a full-time hacking career.

Additionally, hacking offers a career path for self-motivated individuals who are eager to learn new skills. While 73% of respondents reported having a college degree or higher, only 29% learned their hacking skills through academic or professional coursework. Instead, 87% reported learning through online resources, 78% through self-study, and 43% through trial and error. Hacking offers younger generations an incredibly desirable career with flexible hours, a remote work environment, and without the requirement of a college degree to achieve success.

Access the Full Report

The survey included 1,300 respondents from 85 countries, including the United States, India, Bangladesh, Pakistan, Nepal, Egypt, Nigeria, the United Kingdom, Vietnam, and Australia. Building upon the success of previous years, this year's edition offers the latest demographic data on the hacking community, a detailed analysis of hackers' daily experiences, and direct insights into hackers' journeys through extensive "Hacker Spotlight" interviews. Readers of this report will better understand how hackers can reduce risks for organizations, provide one of the most significant security returns on investment, and accelerate digital transformation. To download a copy of the Inside the Mind of a Hacker 2024 report, click here.

About Bugcrowd  
We are Bugcrowd. Since 2012, we've been empowering organizations to take back control and stay ahead of threat actors by uniting the collective ingenuity and expertise of our customers and trusted alliance of elite hackers, with our patented data and AI-powered Security Knowledge Platform™. Our network of hackers brings diverse expertise to uncover hidden weaknesses, adapting swiftly to evolving threats, even against zero-day exploits. With unmatched scalability and adaptability, our data and AI-driven CrowdMatch™ technology in our platform finds the perfect talent for your unique fight. We are creating a new era of modern crowdsourced security that outpaces threat actors.

Unleash the ingenuity of the hacker community with Bugcrowd, visit www.bugcrowd.com. Read our blog.

Tag

#vulnerability