Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations.
Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America,

Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations.

Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two unnamed Asia-Pacific intergovernmental organizations.

Also singled out since February 2024 are diplomatic, government, semiconductor supply-chain, non-profit, and religious entities located in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam.

"TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access," the cybersecurity company said. "The group used open-source Go backdoors Pantegana and Spark RAT post-exploitation."

Attack chains involve the exploitation of known security flaws impacting various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.

The group has also been observed conducting wide-ranging reconnaissance activity aimed at internet-facing appliances belonging to organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This also comprised several Cuban embassies located in Bolivia, France, and the U.S.

"Beginning on April 16, 2024, TAG-100 conducted probable reconnaissance and exploitation activity targeting Palo Alto Networks GlobalProtect appliances of organizations, mostly based in the U.S., within the education, finance, legal, local government, and utilities sectors," the company said.

This effort is said to have coincided with the public release of a proof-of-concept (PoC) exploit for CVE-2024-3400, a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.

Successful initial access is followed by the deployment of Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts.

The findings illustrate how PoC exploits can be combined with open-source programs to orchestrate attacks, effectively lowering the barrier to entry for less sophisticated threat actors. Furthermore, such tradecraft enables adversaries to complicate attribution efforts and evade detection.

"The widespread targeting of internet-facing appliances is particularly attractive because it offers a foothold within the targeted network via products that often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation," Recorded Future said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users.
The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0.
"This vulnerability is due to improper

Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users.

The vulnerability, tracked as **CVE-2024-20419**, carries a CVSS score of 10.0.

"This vulnerability is due to improper implementation of the password-change process," the company said in an advisory. "An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow an attacker to access the web UI or API with the privileges of the compromised user."

The shortcoming affects Cisco SSM On-Prem versions 8-202206 and earlier. It has been fixed in version 8-202212. It's worth noting that version 9 is not susceptible to the flaw.

Cisco said there are no workarounds that resolve the issue, and that it's not aware of any malicious exploitation in the wild. Security researcher Mohammed Adel has been credited with discovering and reporting the bug.

**CISA Adds 3 Flaws to KEV Catalog**

The disclosure comes as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation -

*   **CVE-2024-34102** (CVSS score: 9.8) - Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
*   **CVE-2024-28995** (CVSS score: 8.6) - SolarWinds Serv-U Path Traversal Vulnerability
*   **CVE-2022-22948** (CVSS score: 6.5) - VMware vCenter Server Incorrect Default File Permissions Vulnerability

CVE-2024-34102, which is also referred to as CosmicSting, is a severe security flaw arising from improper handling of nested deserialization, allowing attackers to achieve remote code execution. A proof-of-concept (PoC) exploit for the flaw was released by Assetnote late last month.

Reports about the exploitation of CVE-2024-28995, a directory transversal vulnerability that could enable access to sensitive files on the host machine, were detailed by GreyNoise, including attempts to read files such as /etc/passwd.

The abuse of CVE-2022-22948, on the other hand, has been attributed by Google-owned Mandiant to a China-nexus cyber espionage group known as UNC3886, which has a history of leveraging zero-day flaws in Fortinet, Ivanti, and VMware appliances.

Federal agencies are required to apply mitigations per vendor instructions by August 7, 2024, to secure their networks against active threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager

The group — which has targeted Israel, Saudi Arabia, and other nations — often uses spear-phishing and legitimate remote management tools but is developing a brand-new homegrown tool set.

Source: Muhammad Toqeer via Shutterstock

Iranian cyber-espionage group MuddyWater is pivoting from controlling infected systems with legitimate remote-management software to instead dropping a custom-made backdoor implant.

As recently as April, the group infected systems by targeting Internet-exposed servers or through spear phishing, ending with the installation of the SimpleHelp or Atera remote management platforms, security-operations provider Sekoia said in an advisory. Yet, in June, the group switched to a different attack chain: sending out a malicious PDF file with an embedded link leading to a file on stored on the Egnyte service, which installs the new backdoor, dubbed MuddyRot by Sekoia.

Check Point Software noted the shift to the new tool as well. MuddyWater has been using the backdoor implant, which the firm calls BugSleep, since May, and has quickly been improving it with new features and bug fixes, says Sergey Shykevich, threat intelligence group manager at Check Point Software.

Often, they also introduce new bugs into the malware, however. "They likely realized that their tactic of utilizing remote management tools as a backdoor was not effective enough and decided to swiftly transition to homemade malware," Shykevich says. "Probably due to pressure for a rapid change, they released an incomplete version."

Iran has become a significant cyber-threat actor in the Middle East. Since at least 2018, the MuddyWater threat group has targeted a variety of government agencies and critical industries with malicious attacks, stated a 2022 advisory published jointly by US and UK government agencies. The MuddyWater group is part of the Iranian Ministry of Intelligence and Security (MOIS), with other cybersecurity firms referring to the group as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, according to the joint advisory.

**An Attack Tool Under Construction**

The BugSleep backdoor uses typical anti-analysis tactics, such as delaying execution — that is, going to "sleep" — to avoid being detected or running in a sandbox. The backdoor also employs encryption, but in many instances the encryption was not properly executed.

The encryption issues are not the only bugs in the code. In other samples, the program creates a file — "a.txt" — and then later deletes it, apparently for no reason. These issues, plus the frequent updates, suggests the code is still under development, stated Check Point Software's advisory.

MuddyWater previously had created its own backdoor programs, such as one called Powerstats, written in PowerShell, but later shifted to using remote management (RMM) software, Sekoia's advisory noted.

"We don’t yet know why MuddyWater operators have reverted to using a homemade implant for their first infection stage in at least one campaign," the advisory stated. "It is likely that the increased monitoring of RMM tools by security vendors, following their rise in abuse by malicious threat actors, has influenced this change."

The use of a file sharing service such as Egnyte to host malicious documents has become more popular among attackers. The trial period is often sufficient enough time to give the attackers a platform to use during an attack, Check Point Software's Shykevich says.

"Numerous file-sharing platforms are utilized by attackers within their infection chains," he says. "In theory, emulating and scanning the uploaded files can reduce the malicious use, but it is quite complicated from operational and cost perspectives for the file-sharing services operators."

**"Umbrella of APTs" in the Middle East**

The lures used in the group's phishing campaigns have become simpler — focusing on "generic themes such as webinars and online course," which allows them to send out a higher volume of attacks, Check Point Software's advisory stated.

"Their sophistication level is medium, but they are a highly persistent and aggressive group from the standpoint of phishing campaigns and targeting of specific sectors or organizations," Shykevich says. "They send hundreds of malicious emails to multiple recipients in the same organization or the same sector, also doing it across different days."

MuddyWater may not be a single group, however. In 2022, Cisco's threat intelligence group, Talos, described them as an "umbrella of APT groups." The US Cybersecurity and Infrastructure Security Agency (CISA) describes the group as "a group of Iranian government-sponsored advanced persistent threat (APT) actors," in its advisory.

The group employs "spearphishing, exploiting publicly known vulnerabilities, and leveraging multiple open-source tools to gain access to sensitive government and commercial networks," CISA stated, adding, "MuddyWater actors are positioned both to provide stolen data and accesses to the Iranian government and to share these with other malicious cyber actors."

While the group focuses on attacking organizations in Israel and Saudi Arabia, they have also hit other nations, including India, Jordan, Portugal, Turkey, and even Azerjaiban, the advisories said.

**About the Author(s)**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Iranian Cyber-Threat Group Drops New Backdoor, 'BugSleep'

A Server-Side Template Injection (SSTI) vulnerability in the edit theme function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload.

**openCart Server-Side Template Injection (SSTI) vulnerability**

High severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-xrh7-2gfq-4rcq: openCart Server-Side Template Injection (SSTI) vulnerability

Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.

**Roundup Cross-site Scripting Vulnerability**

Moderate severity GitHub Reviewed Published Jul 17, 2024 to the GitHub Advisory Database • Updated Jul 17, 2024

GHSA-x37x-qf4v-f54f: Roundup Cross-site Scripting Vulnerability

Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.

GHSA-xjgw-ghrx-wfff: Roundup Cross-site Scripting Vulnerability

In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

GHSA-w8vc-cwv9-wx67: Roundup Cross-site Scripting Vulnerability

PRESS RELEASE

REDWOOD SHORES, Calif., July 16, 2024 /PRNewswire/ -- Tumeryk Inc., a leader in AI security solutions, proudly announces the launch of the Tumeryk AI Security Studio to enable organizations to simulate and enhance generative AI (gen AI) security. The large language model (LLM) vulnerability scanner can be run by security professionals against their gen AI API inference endpoints. The Tumeryk LLM Safety Report generated allows enterprises to discover potential gen AI risks and protect against them by building security policies in the Tumeryk Gen AI Firewall. The Gen AI Firewall is built using NVIDIA NeMo Guardrails and other state-of-the-art tools and research.

Tumeryk is also hosting a free webinar - Generative AI Security and Risk Mitigation - featuring Rohit Valia, CEO and founder of Tumeryk, and Christopher Parisien, senior manager of applied research at NVIDIA, to share how organizations can leverage Tumeryk's technologies to safely deploy gen AI-based applications into production. Sign up for the webinar enables access to the free gen AI LLM vulnerability scanner service and the Tumeryk Gen AI Security Studio.

"By making the gen AI LLM vulnerability scanner service available for free, Tumeryk is allowing organizations to get an understanding of their risk profile while using these innovative technologies and ensuring that they stay secure and compliant," said Valia. "Artificial intelligence, particularly Gen AI, holds immense transformative potential – and demand for the best security tools." 

"Gen AI presents a powerful opportunity for innovation, and organizations must approach implementations with safety in mind, especially for regulated industries. As CISOs, we need to adapt our security capabilities and operations to be inclusive of Gen AI solutions," said Puneet Thapliyal, ex-CISO at Hippocratic.ai. "Tumeryk provides the tools for enterprises to enhance gen AI security."

The Gen AI Security Studio is designed for security analysts, providing a comprehensive platform to scan LLMs and build and test gen AI Firewall policies. This proactive approach helps identify vulnerabilities and strengthens AI defenses prior to deployment. 

The Gen AI Firewall enables centralized controls over gen AI access. Security and governance teams can collaborate with developers to build sophisticated guardrails using the Gen AI Security Studio and deploy them to the Gen AI Firewall. Utilizing NVIDIA NeMo Guardrails, the Gen AI Firewall leverages heuristics to block jailbreak attempts, score hallucinations, moderate content, and orchestrate dialogs. It enables the creation of virtual silos for LLMs using role-based access control (RBAC) and enhances security through an API key vault. This firewall is crucial for maintaining the integrity and reliability of AI systems by helping ensure interactions remain within predefined security parameters.

The AI Security Monitoring Dashboard offers a single pane of glass for monitoring LLMs across cloud providers. This allows operations teams to monitor the performance of gen AI applications and review comprehensive logs and alerts to ensure any deviations from expected behavior are promptly addressed. 

The free LLM scanner and Gen AI Security Studio can be accessed from the AWS Marketplace or https://tumeryk.com/, providing easy access for organizations looking to enhance their AI security posture. Tumeryk AI solutions represent a significant advancement in AI security, offering a holistic approach to managing the complexities of gen AI. As AI continues to integrate deeper into business operations, Tumeryk Inc. remains at the forefront of ensuring these systems are secure, reliable, and aligned with organizational policies.

About Tumeryk Inc.

Tumeryk Inc. is a pioneering company in AI security solutions, dedicated to developing innovative technologies that safeguard AI systems. With a focus on proactive risk management and comprehensive protection strategies, Tumeryk Inc. enables organizations to deploy AI with confidence and integrity.

You May Also Like

Tumeryk Inc. Launches With Free Gen AI LLM Vulnerability Scanner

PRESS RELEASE

BETHESDA, Md., July 16, 2024 /PRNewswire-PRWeb/ -- As organizations continue to fortify their cybersecurity strategies in response to an ever-evolving threat landscape, many are turning to Zero Trust architectures to safeguard their data. However, implementing Zero Trust is not without its challenges. According to a new strategy guide from the SANS Institute, "Navigating the Path to a State of Zero Trust in 2024," businesses often stumble over key obstacles in their journey towards Zero Trust adoption.

"The path to achieving a true state of Zero Trust isn't straightforward. Organizations often encounter several fundamental challenges when attempting to implement end-to-end Zero Trust principles across their environment," said Ismael Valenzuela, SANS Senior Instructor and author of the Cyber Defense and Blue Team Operations course, SANS SEC530: Defensible Security Architecture and Engineering. "By understanding and addressing these common mistakes, businesses can make better strategic and tactical decisions and increase their resiliency in the face of evolving threats."

Here are the top five mistakes identified:

● Overlooking the Importance of Organizational Culture: Zero Trust is more than just a technological shift; it requires a fundamental change in organizational culture. Chief Information Security Officers (CISOs) must align security with strategic, operational, and financial priorities. As the strategy guide states, "Effective security is driven by people, processes, and technology." Failure to secure stakeholder buy-in from the outset can doom Zero Trust initiatives to fail.

● Underestimating Human Risk: Employee error and negligence account for over 80% of data breaches. Hybrid work environments blur the lines between personal and professional spaces, increasing the complexity of monitoring user activity. "A Zero Trust architecture is an important line of defense against human risk," the strategy guide emphasizes. Organizations must implement continuous monitoring and real-time assessment of user behavior to mitigate these risks.

● Neglecting the Supply Chain: Recent high-profile supply chain attacks have underscored the vulnerabilities within interconnected systems. According to Gartner, by 2025, 45% of organizations worldwide will have experienced attacks on their supply chains. Zero Trust principles help limit the impact of these breaches by ensuring continuous verification and deeper visibility into user activity.

● Failing to Plan for Sustainable Success: Implementing Zero Trust is a long-term commitment that requires continuous improvement and adaptation. The SANS strategy guide highlights the importance of effective change management practices: "Effective change management ensures stakeholder buy-in, facilitates user adoption, minimizes disruption, promotes continuous improvement, and enhances collaboration."

● Inadequate Measurement of Success: Measuring the effectiveness of a Zero Trust framework is crucial for maintaining stakeholder support. The guide suggests several metrics, including authentication success rates, policy compliance rates, and the time to detect and respond to incidents. These metrics provide a clear picture of the framework's impact and highlight areas for improvement.

"Adopting the Zero Trust 'never trust, always verify' mindset is essential for modern cybersecurity," said Valenzuela. "However, the real challenge lies in having a realistic understanding of what a Zero Trust architecture looks like and avoiding common pitfalls during implementation. From cultural shifts to technical deployments, this offers vital guidance to help organizations successfully navigate the complexities of Zero Trust and enhance their cybersecurity resilience."

For more information on implementing Zero Trust and to download the full strategy guide, visit: https://www.sans.org/u/1xo2

Top 5 Mistakes Businesses Make When Implementing Zero Trust

PRESS RELEASE

BOSTON, July 16, 2024 /PRNewswire/ -- Cybercrimes like dealer system hacks, identity theft, and breaches are wreaking havoc on the auto industry. As the industry becomes more technology-driven, increasingly sophisticated cybercriminals are finding more opportunities to strike. In fact, the auto sector is now the third most targeted behind healthcare and financial services. The recent attacks against Findlay Auto Group and CDK Global are just two of many examples that have brought attention to the industry's vulnerabilities.

A number of regulations have been issued to ensure dealers adequately protect consumer data. In particular, the Red Flags Rule requires dealers to implement programs to protect customers from potential identity theft and fraud.

That's why Aura, the all-in-one consumer online safety solution, today announced its partnership with Mosaic Compliance Services to provide identity protection to anyone who gives dealers personally identifiable information (PII) during the car-buying process.

Mosaic is a leader in helping dealerships nationwide implement legally defensible and insurable compliance systems. By combining Aura's award-winning identity theft protection services with Mosaic's industry-leading fully managed compliance solutions, this partnership helps dealers adhere to the Red Flags Rule regulations, mitigate risk, and provide proactive protection from cybercrime for their roofs, shoppers, and buyers.

"We partnered with Aura so that every consumer, shopper, or buyer gets identity theft protection simply because they gave the dealer their non-public personal information," said James S. Ganther, Esq., CEO at Mosaic Compliance Services. "Through this collaboration, we're able to both provide peace of mind to buyers whose information is collected and ease the compliance burden for dealers–providing everything from counsel on policies to operational improvements, audits, and consumer online protections."

Aura plays a crucial role in the mitigation piece of compliance with the Red Flags Rule. With these regulations, auto dealers are now obligated to protect the personal information provided to them. By offering Aura to consumers, dealers help proactively mitigate fraudby monitoring for instances of identity theft, credit misuse, and financial fraud.

"With cyber attacks, scams, and breaches happening every day, car buyers are aware of the risk associated with providing their personal information to companies," said Scott Hudson, Senior Vice President of Sales at Aura. We know that 84% of customers say they would not buy another vehicle from a dealership if a breach compromised their data. By offering Aura's identity protection solution to every consumer who provides personally identifiable information, dealers can earn trust upfront in the car-buying process."

Aura works with hundreds of dealerships across the U.S. to offer identity and fraud protection to hundreds of thousands of consumers. If you're interested in partnering with Aura and Mosaic Compliance Services, contact \[email protected\].

ABOUT AURA   
Aura is one of the fastest growing online safety solutions for individuals and families. Whether you're protecting yourself, your kids, or your aging loved ones, Aura can meet your needs at every stage of life. Customers trust Aura's simple interface to effortlessly safeguard the things they care about most. Through real-time monitoring and alerts, Aura helps detect and mitigate emerging online threats, such as scams, predators and cyberbullying. To discover how Aura is reshaping online safety for people everywhere, visit www.aura.com.

ABOUT MOSAIC COMPLIANCE SERVICES   
Mosaic Compliance Services was founded in 2006 by automotive attorneys who saw the need to make compliance more approachable and effective for dealerships. Today, Mosaic is a leading provider of compliance solutions for dealers. Serving over 150,000 active users, we help dealerships across the country implement a culture of compliance that includes processes, training, policies, certifications, safeguards, audits, and more. Our web-based legal compliance training has received the Dealers' Choice Diamond Award eight years in a row, including 2023. In everything we do Mosaic strives to provide the most knowledgeable service and tailored guidance in the industry. As your dedicated compliance partner, our goal is your success.

Tag

#vulnerability