Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access restricted data without proper authorization. The lack of server-side validation exacerbates the issue, as the application relies on client-side information for authentication.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-995c-qww8-64fj: Oqtane Framework Incorrect Access Control vulnerability

An IDOR (Insecure Direct Object Reference) vulnerability exists in Oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the request URL. By changing the notification ID, an attacker can view sensitive mail details belonging to other users.

GHSA-2hr5-cvwp-jr5w: Oqtane Framework Insecure Direct Object Reference vulnerability

LockBit ransomware gang's takedown is in progress!

****KEY SUMMARY POINTS****

*   **Arrest of Rostislav Panev**: Dual Russian-Israeli national Rostislav Panev, a key developer for the LockBit ransomware group, was arrested in Israel in August and awaits extradition to the U.S.

*   **Role in LockBit Operations**: Panev allegedly developed and maintained malware infrastructure for LockBit, enabling affiliates to launch ransomware attacks globally since 2019.

*   **Evidence Seized**: Authorities discovered administrator credentials for LockBit’s dark web tools, malware source codes, and control panel access during Panev’s arrest.

*   **Admissions and Payments**: Panev admitted to disabling antivirus software, deploying malware, and printing ransom notes, earning over $230,000 in cryptocurrency for his work.

*   **Impact of LockBit**: LockBit ransomware has targeted over 1,800 U.S. victims and thousands more worldwide, causing billions in damages and collecting over $500 million in ransom payments.

The U.S. Department of Justice (DoJ) has announced the arrest of Rostislav Panev, a dual Russian and Israeli national accused of being a key developer for the LockBit ransomware operation.

The 51-year-old was apprehended in Israel back in August and is now awaiting extradition to the United States to face charges including computer fraud, wire fraud, and extortion for his role in developing and maintaining LockBit ransomware infrastructure from 2019 to 2024.

LockBit, once dubbed the “most destructive ransomware group in the world,” has created major problems for thousands of victims across more than 120 countries, including over 1,800 in the U.S. alone. **From hospitals** and schools to **critical infrastructure** and multinational corporations, no sector has been safe from their attacks.

The group’s malicious activities have reportedly netted them at least $500 million in ransom payments while causing billions more in damages through lost revenue and recovery costs.

****Who is Rostislav Panev?****

According to the DoJ’s **press release**, Panev allegedly played a critical role in the development and maintenance of LockBit’s malware infrastructure. From the group’s emergence in 2019 until at least February 2024, Panev worked as a developer, creating tools that enabled LockBit affiliates to carry out attacks and extort victims.

During his arrest, authorities seized Panev’s computer, uncovering evidence that linked him directly to the group’s operations. This included administrator credentials for a dark web repository containing source code for multiple versions of the LockBit builder, a tool used to generate custom malware for specific victims. Investigators also found access credentials for the LockBit control panel, a dark web dashboard used by developers and affiliates to coordinate attacks.

According to the DoJ’s superseding criminal complaint, in interviews with Israeli authorities following his arrest, Panev admitted to writing code that disabled antivirus software, deployed malware across victim networks, and printed ransom notes on connected printers. He also confessed to receiving regular cryptocurrency payments for his work, summing over $230,000 between June 2022 and February 2024.

****Takedown of LockBit****

Panev’s arrest is the latest in a series of actions against the LockBit group. Earlier this year, the UK’s National Crime Agency (NCA) **led a coordinated international effort** to disrupt LockBit’s operations, seizing key servers and websites used by the group. This move significantly crippled LockBit’s ability to launch new attacks and extort victims.

The DoJ has also charged seven other individuals associated with LockBit, including **Dmitry Yuryevich Khoroshev**, the group’s alleged primary administrator. Khoroshev, who remains at large, is believed to have played a central role in recruiting affiliates and overseeing LockBit’s operations.

Two other LockBit affiliates, Mikhail Vasiliev and Ruslan Astamirov, have already pleaded guilty to their involvement in the group and are awaiting sentencing. Meanwhile, other key figures like Artur Sungatov and Ivan Kondratyev remain fugitives, with rewards of up to $10 million offered for information leading to their arrest.

In November 2024, Russian authorities arrested **Mikhail Pavlovich Matveev**, also known as Wazawaka and Boriselcin, a member of the Lockbit group. Matveev is also wanted by the FBI for his involvement in the Hive and Babuk ransomware operations.

Nevertheless, the fight against ransomware takes a major step forward with Panev’s extradition and prosecution, marking an important milestone in holding cybercriminals accountable. The message is simple: in our connected world, cybercrime doesn’t pay.

1.  **Ukraine Arrests Cryptor Specialist Aiding Conti and LockBit**
2.  **Rabbi Arrested for Hacking CCTV at Lady’s Swimwear Shop**
3.  **FBI Kills Kelihos Botnet Amid Russian Hacker’s Arrest in Spain**
4.  **Israeli arrested for hacking Madonna’s PC, selling songs online**
5.  **Husband, wife among ransomware operators arrested in Ukraine**

LockBit Developer Rostislav Panev, a Dual Russian-Israeli Citizen, Arrested

Cybersecurity researcher Jeremiah Fowler discovered a 1.2TB database containing over 3 million records of Builder.ai, a London-based AI software and app development company. Discover the risks, lessons learned, and best practices for data security.

****KEY SUMMARY POINTS****

*   **Unsecured Database:** A publicly accessible Builder.ai database containing 3 million records (1.29 TB) was found without password protection or encryption, exposing critical customer and internal data.

*   **Exposed Sensitive Information:** The leak included invoices, NDAs, tax documents, email screenshots, and cloud storage keys, putting customer PII and internal operations at risk.

*   **Potential Exploits:** Risks include phishing, invoice fraud, unauthorized cloud access via exposed keys, and reputational damage to Builder.ai.

*   **Delayed Response:** It took nearly a month for Builder.ai to secure the database after being notified, raising concerns about their incident response efficiency.

*   **Recommendations:** Experts stress the need for encryption, secure storage of access keys, and segregating sensitive data to prevent similar breaches.

Builder.ai, a London, England-based AI development platform with branches in the US, Asia, Europe, and the Middle East, exposed a treasure trove of customer and internal data to public access without any security authentication or password.

This was revealed by cybersecurity researcher Jeremiah Fowler to Hackread.com who discovered a publicly accessible **misconfigured database** containing over 3 million records, totalling a whopping 1.29 TB of records. 

According to Fowler’s **report** for Website Planet, the sensitive information included customer cost proposals, NDA agreements, invoices, tax documents, internal communications, secret access keys, customer PII, and email correspondence screenshots. The database contained around 337,434 invoices (18 GB) and 32,810 files (4 GB) labelled Master service agreements.

> _“Storing documents and access keys (e.g., Key ID and Secret Access Key) in plain text within the same database could potentially create a critical security vulnerability. In the event of an accidental exposure or unauthorized access to the database, malicious actors could use the keys to access linked systems, cloud storage, or other sensitive resources without additional authentication.”_
> 
> Jeremiah Fowler

Database misconfigurations are a common issue, but a recent report highlights that even notorious hacker groups like ShinyHunters and Nemesis are **actively targeting exposed databases**. This shows that any such database if ended up in the hands of malicious threat actors can jeopardise the company’s reputation and user’s privacy.

Moreover, exposed documents can be a goldmine for hackers, enabling **social engineering attacks** such as crafting realistic fake invoices embedded with malware to exploit unsuspecting Builder.ai customers.

What’s worse, insider information within the data could be used to launch targeted phishing attempts against Builder.ai’s employees. That’s not all; leaked cloud storage access keys could grant unauthorized access to even more sensitive data stored elsewhere.

However, the risk extended further from the initial discovery. Builder.ai took an entire month to secure the database following the researcher’s notification, citing “complex system dependencies” as the reason for the delay. This explanation hints, though somewhat unclear, that the database exposure might have involved a third-party contractor.

The researcher emphasizes the importance of building systems with minimal dependencies to avoid hampering **incident response**. Nevertheless, to minimize risk, Fowler recommends organizations store administrative credentials and access keys securely, encrypt them, store them in a dedicated system, and separate them from other sensitive data, to prevent exploitation.

1.  **Propertyrec Leak Exposes Background Check Records**
2.  **Facial DNA provider leaks biometric data via WordPress folder**
3.  **Video Marketing Software Animker Leaking Trove of User Data**
4.  **US, UK Military Social Network “Forces Penpals” Exposes SSNs**
5.  **Canadian Eyecare Firm Care1 Exposes 2.2TB of Patient Records**

Builder.ai Database Misconfiguration Exposes 1.29 TB of Unsecured Records

The software development industry is expanding tremendously. It drives up the need for technical people and new solutions.…

The software development industry is expanding tremendously. It drives up the need for technical people and new solutions. Let’s check the top AI trends to follow in 2025.

Generative AI solutions are changing software development. They automate repetitive coding tasks, increase developer productivity, improve efficiency, and speed up product delivery. AI makes the work of DevOps teams more productive. It also enhances the effectiveness of Continuous Integration and Continuous Deployment (CI/CD) operations, enabling faster code deployment. Besides that, artificial intelligence solutions are useful in Quality Assurance (QA). They automate tests, generate data, and use innovative reporting methodologies.

We can say for sure that the software development industry has been thriving for years, with a focus on technology and innovation. And the number of developers turning to machine learning (ML), Artificial intelligence (AI), and big data solutions is increasing more and more. That’s just the beginning. Deep diving, let’s look at some of the top software development statistics and trends to keep your eye on for 2025.

****1\. Employment Growth for Software Developers****

Is there a need for software developers in the future? One would expect the need for software engineers to decrease as AI, machine learning, low-code development platforms, and other technologies become more popular. However, employment opportunities for software engineers are predicted to continue to rise at a rate of more than 20%. When compared to other positions, this figure is rather high. Finally, more than 1.3 million technology experts are predicted to work in the software development business by 2024. There will be even more opportunities in 2025.

****2\. IT Outsourcing Is on the Rise****

According to a McKinsey report, more than 85% of companies are suffering from a worldwide talent shortage. And the situation is not expected to change any time soon. Here are some statistics about the global skills shortage and outsourcing development:

*   The number of open opportunities in the software development business is predicted to reach 85.2 million by 2030.
*   Companies outsource software development to developers from other countries. This year, the country’s IT outsourcing market will increase at a CAGR of 7.25 percent.
*   The worldwide IT outsourcing industry is expected to reach $410.2 billion by 2027.

Polish your use of AI/ML and Cloud technologies while learning from industry talents to bring your software product to a whole new level. At the same time, according to ObjectStyle, a staff augmentation provider, incidents involving state-backed hackers posing IT Workers to infiltrate Western companies have become a new trend which goes on to show that companies must remain alert when it comes to outsourcing or hiring.

****3\. Building Secure Apps Is a Priority for Businesses****

In 2025, software development teams throughout the world will prioritize and focus on the safety and security of their products. A recent survey conducted among software development teams revealed that more than 30 percent of them had a specialist department for security monitoring and QA. This department is responsible for:

*   Responding to security vulnerabilities or attacks while minimizing damage.
*   Protecting corporate software from malicious code, coding flaws, and encryption failures.
*   Performing penetration testing, static security analysis (SAST), and configuration audits.
*   Ensuring proper code quality.

****4\. Top Programming Languages, Databases, and Cloud Platforms****

A recent StackOverflow poll provided us with some intriguing insights into the top software development trends:

*   JavaScript remains the most popular programming language, with more than 65 percent of respondents selecting it.
*   Rust is also a top popular programming language, with more than 86.73 percent of respondents favoring it.
*   When it comes to databases, MySQL leads with almost 46% of the votes.
*   AWS is the most popular cloud platform, with a market share of more than 50%.
*   Node.JS and React.JS are the most popular web frameworks in the software development business.
*   Docker is the most popular tool, with more than 75% of respondents voting in favor.

So keep these in mind when deciding on the core of your next software development project.

****5\. The World Is Going Remote****

According to the same poll, 42.98 percent of respondents work totally remotely. Similarly, 42.44 percent of respondents work in a hybrid workplace. These numbers demonstrate that enterprises throughout the globe are adopting remote work and its advantages. Only a limited number of companies would like their employees to work from the office in person. Hybrid and partly remote work regimes are becoming more and more popular with companies.

**6\. Custom Software Development Will Rock**

According to 2022 market demand, the value of software development in 2022 was $28.2 billion with a projected CAGR of 21.5% for the period 2023 to 2032. Simply said, the industry is expanding at an exponential rate. As businesses increasingly seek tailored solutions to meet their unique needs, the importance of custom software will only continue to rise. And the following trends will be true drivers:

*   User-Centered Design
*   Integration of AI and Machine Learning
*   Low-Code and No-Code Development
*   Cloud-Native Solutions
*   Enhanced Cybersecurity Measures
*   Blockchain Technology
*   Agile Methodologies and DevOps Practices
*   Sustainability Focus

To succeed in their business niche, every company or specialist involved in this industry should be aware of bespoke software development trends. For example, NFTs and Web 3 technologies were worth $16 billion in 2021. Companies that were able to adopt this trend over time reaped significant benefits.

****Let’s Wrap It up****

The software development industry is expanding tremendously. It drives up the need for technical people and new solutions. The software development business will place a greater focus on AI and ML in the future, creating outstanding employment possibilities for AI and ML developers worldwide. Despite these favourable tendencies, the worldwide skills scarcity is expected to drive enterprises towards IT outsourcing. Let’s keep an eye on the industry.

1.  Kotlin app development company – How to choose
2.  Best Methods for Storing, Protecting Digital Company Files
3.  What is an Infosec Audit, Why Does A Company Need One?
4.  Benefits of hiring a Java web application development firm
5.  Tips to protect company data sent via home internet connections

_Top image via y Innova Labs from Pixabay_.

Top AI Trends Every Software Development Company to Follow in 2025

Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a local file.

**Note:**

This is a bypass of the fix for [CVE-2024-21544](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745).

GHSA-c9f5-29f6-c35w: Browsershot Improper Input Validation vulnerability

KEY SUMMARY POINTS Krispy Kreme, the beloved doughnut chain, disclosed a data breach on December 11, 2024, in…

****KEY SUMMARY POINTS****

*   **Krispy Kreme Data Breach:** The notorious Play ransomware group has claimed responsibility for the data breach at Krispy Kreme and is threatening to leak the data within two days.
*   **Threatening to Leak Data:** Hackers threaten to leak sensitive company data within two days.
*   **Play Ransomware and Doube Extortion:** The group uses a double-extortion model, exfiltrating and encrypting data.
*   **Play Ransomware Does Not Play:** Play Ransomware has a history of targeting various global sectors.
*   **International Links:** Recent reports link the group to North Korean state-backed hackers.

Krispy Kreme, the beloved doughnut chain, **disclosed a data breach** on December 11, 2024, in which its operations across the United States were disrupted. At the time, the identity of the attackers was unknown. However, Hackread.com can now exclusively reveal that the Play Ransomware group, also known as PlayCrypt, has claimed responsibility for the breach.

The Play Ransomware group made the announcement earlier today, December 19, via its **dark web** leak site. While Krispy Kreme has not disclosed whether any data was stolen or the nature of such data, the ransomware group is threatening to release sensitive internal company information within two days. The data reportedly includes the following:

*   **IDs**
*   **Client documents**
*   **payroll information**
*   **Financial information**
*   **Budgeting information**
*   **Accounting information**
*   **Tax-related information**
*   **Private and personal confidential data**

Screenshot from Play ransomware group’s dark web leak site (Credit: Hackread.com)

For context, the Play Ransomware group, which emerged in June 2022, specializes in targeting a wide range of sectors, including business, government, critical infrastructure, healthcare, and media. Their attacks have spanned across North America, South America, and Europe, making them a significant threat to the **cybersecurity infrastructure**.

The Play Ransomware group uses a double-extortion model, exfiltrating data before encrypting systems and threatening to release the stolen information if their ransom demands are not met. One of their most notable attacks occurred in June 2023, targeting Swiss government entities and resulting in data breaches that impacted hundreds of thousands of individuals.

**In July 2024**, Play Ransomware introduced a new variant designed to target Linux ESXi environments. However, the most alarming development came **in October 2024**, when a report from Palo Alto Networks’ Unit 42 revealed that the ransomware group was collaborating with North Korean government-backed hackers to carry out global attacks.

The Play Ransomware attack on Krispy Kreme is another reminder of the growing complexity and reach of cybercriminal groups. With their history of targeting critical sectors and recent collaboration with state-backed hackers, the group has now become a serious threat to businesses worldwide.

1.  **Aussie Food Giant Patties Foods Leaks Trove of Data**
2.  **Chowbus food delivery service suffers breach; data stolen**
3.  **FBI warns of ransomware attacks on Food, Agriculture sectors**
4.  **Dunkin Donuts Perks loyalty data breach: Change your password**
5.  **Hacker Claims Cisco Breach, Selling Stolen Data from Major Firms**

Play Ransomware Claims Krispy Kreme Breach, Threatens Data Leak

Criminals are luring victims looking to download software and tricking them into running a malicious command.

More and more, threat actors are leveraging the browser to deliver malware in ways that can evade detection from antivirus programs. Social engineering is a core part of these schemes and the tricks we see are sometimes very clever.

Case in point, there has been an increase in attacks that involve copying a malicious command into the clipboard, only to be later pasted and executed by the victims themselves. Who would have though that copy/paste could be so dangerous?

The new campaign we observed uses a a combination of malicious ads and decoy pages for software brands, followed by a fake Cloudflare notification that instructs users to manually run a few key combinations. Unbeknownst to them, they are actually executing PowerShell code that retrieves and installs malware.

**The discovery**

Our investigation into this campaign started from a suspicious ad for ‘notepad’ while performing a Google search. Such search queries have been a hot spot for criminals who want to lure victims that are looking to download programs onto their computer.

Based on previous evidence, criminals are tricking victims into visiting a lookalike site with the goal of downloading malware. In this case, the first part was true, but what unfolded next was new to us.

When we clicked the Download button, we were redirected to a new page that appeared to be Cloudflare asking us to “_verify you are human by completing the action below_“. This type of message is more and more common, as site owners try to prevent bots and other unwanted traffic.

But rather than having to solve a CAPTCHA, we saw another unexpected message: _“Your browser does not support correct offline display of this document. Please follow the instructions below using the “Fix it” button_“.

**Powerful technique**

This technique is actually not new in itself, and similar variants have been seen both via email spam and compromised websites before. It is sometimes referred to as ClearFake or ClickFix, and requires users to perform a manual action to execute a malicious PowerShell command.

Clicking on the ‘Fix It’ button copies that command into memory (the machine’s clipboard). Of course the user has no idea what it is, and may follow the instructions that ask to press the Windows and ‘R’ key to open the Run command dialog. CTRL+V pastes that command and Enter executes it.

Once the code runs, it will download a file from a remote domain (_topsportracing\[.\]com_) within the script. We tested that payload in a sandbox and observed immediate fingerprinting:

C:\\Users\\Admin\\AppData\\Local\\Temp\\10.exe  
    C:\\Windows\\SYSTEM32\\systeminfo.exe  
        C:\\Windows\\system32\\cmd.exe  
            C:\\Windows\\system32\\cmd.exe /c "wmic computersystem get manufacturer"

The information is then sent back to a command and control server (_peter-secrets-diana-yukon\[.\]trycloudflare\[.\]com_) abusing Cloudflare tunnels:

The use of Cloudflare tunnels by criminals was previously reported by Proofpoint to deliver RATs. We weren’t able to observe a final payload but it is likely of a similar kind, perhaps an infostealer.

**Campaign targets several brands**

This was not an isolated campaign for Notepad, as we soon found additional sites with a similar lure. There was a Microsoft Teams landing page which used exactly the same trick, followed by others such as FileZilla, UltraViewer, CutePDF and Advanced IP Scanner.

Oddly, we saw a lure for a cruise booking site. We have no idea how that came to be, unless the criminals agree that everyone needs a vacation sometimes.

**Overlap with other campaigns**

As mentioned previously, this type of social engineering attack is getting more and more popular. Researchers are tracking several different families under different names such as the original SocGholish.

Interestingly, the same domain (_topsportracing\[.\]com_) we saw in the malicious PowerShell command for Notepad++ was also used recently in another campaign known as #KongTuke:

As these schemes are being increasingly used by criminals, it is important to be aware of the processes involved. The Windows key and the letter ‘R’ pressed together open the Run dialog box. This is not something that most users will ever need to do, so always think carefully whenever you are instructed to perform this.

Malwarebytes customers are protected against this attack via our web protection engine for both the malicious sites and PowerShell command.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malicious domains

notepad-plus-plus.bonuscos\[.\]com  
microsoft.team-chaats\[.\]com  
cute-pdf\[.\]com  
ultra-viewer\[.\]com  
globalnetprotect\[.\]com  
sunsetsailcruises\[.\]com  
jam-softwere\[.\]com  
advanceipscaner\[.\]com  
filezila-project\[.\]com  
vape-wholesale-usa\[.\]com

Servers used before Cloudflare proxy

185.106.94\[.\]190  
89.31.143\[.\]90  
94.156.177\[.\]6  
141.8.192\[.\]93

Malware download URLs

hxxp\[://\]topsportracing\[.\]com/wpnot21  
hxxp\[://\]topsportracing\[.\]com/wp-s2  
hxxp\[://\]topsportracing\[.\]com/wp-s3  
hxxp\[://\]topsportracing\[.\]com/wp-25  
hxxp\[://\]chessive\[.\]com/10\[.\]exe  
hxxp\[://\]212\[.\]34\[.\]130\[.\]110/1\[.\]e

Malware C2

peter-secrets-diana-yukon\[.\]trycloudflare\[.\]com

 &#8216;Fix It&#8217; social-engineering scheme impersonates several brands 

Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.

Source: Konstantin Nechaev via Alamy Stock Photo

NEWS BRIEF

Fortinet has finally patched a critical security vulnerability in its Wireless LAN Manager (FortiWLM) that could allow unauthenticated sensitive information disclosure. And, when chained with another issue, it could lead to remote code execution (RCE), a researcher warned.

The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an "unauthenticated limited file read vulnerability" without a CVE.

"This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system," Horizon3.ai security researcher Zach Hanley, who reported the bug to Fortinet, noted in March. He has confirmed to Dark Reading that the bug patched this week is the same issue.

He added, "Luckily for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints."

NIST's National Vulnerability Database (NVD) has noted that the flaw can also be used to "execute unauthorized code or commands via specially crafted Web requests" — thanks to the access it provides to those authenticated endpoints.

The bug affects FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above).

**Combining Fortinet Vulnerabilities to Achieve RCE**

Hanley back in March flagged a potential exploit chain as well: When CVE-2023-34990 is combined with an authenticated command-injection bug that Fortinet patched last year (CVE-2023-48782, CVSS 8.8), it becomes another recipe for RCE.

This second issue allows an attacker who has used CVE-2023-34990 to gain access to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf\_switches.cgi endpoint that will be executed with root privileges.

"Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root," Hanley explained. "This endpoint is accessible for both low privilege users and admins."

Admins should patch the Fortinet appliances ASAP, given the vendor's status as a most-favored cyberattack target.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Fortinet Addresses Unpatched Critical RCE Vector

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Tag

#web