Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted…

Millions of iOS and Android users are at risk after Symantec discovered that popular apps contain hardcoded, unencrypted cloud keys. This security flaw could lead to unauthorized access, data breaches, and service disruptions.

Research conducted by cybersecurity experts at Symantec has revealed that popular apps on both Android and iOS platforms contain hardcoded, unencrypted cloud service credentials, putting millions of users’ sensitive data and backend services at risk of unauthorized access and potential data breaches.

The issue comes from developers embedding access and secret keys directly in the app’s code instead of using secure storage methods. This makes it easy for attackers to access sensitive data, steal user information, or disrupt services.

Among the affected Android apps, Pic Stitch: Collage Maker, with over 5 million downloads, and Meru Cabs, Sulekha Business, and ReSound Tinnitus Relief, each with hundreds of thousands of downloads, were found to contain hardcoded AWS and Azure credentials, respectively. These credentials grant access to critical cloud storage and other backend services.

On the iOS side, popular apps like Crumbl (over 3.9 million ratings), Eureka: Earn Money for Surveys (402.1K ratings), and Videoshop – Video Editor (357.9K ratings) were also found to have hardcoded AWS credentials, including access keys and even WebSocket Secure (WSS) endpoints, further simplifying potential attacks.

Eureka IDA code with hardcoded AWS credentials (Via Symantec)

****Full list of impacted apps on iOS and Android****

*   **Crumbl (over 3.9 million ratings)**
*   **Meru Cabs (over 5 million downloads)**
*   **Sulekha Business (over 500,000 downloads)**
*   **Videoshop – Video Editor (over 357,000 ratings)**
*   **ReSound Tinnitus Relief (over 500,000 downloads)**
*   **Pic Stitch: Collage Maker (over 5 million downloads)**
*   **Eureka: Earn Money for Surveys (over 402,000 ratings)**

This issue, found on both Android and iOS, is a serious concern. It could lead to anything from individual data breaches to major service disruptions. Symantec’s findings show the urgent need for developers to follow security best practices.

To mitigate these risks, developers are advised to follow best practices for managing sensitive information within their applications. These include using environment variables, implementing secrets management, encrypting sensitive data, conducting regular code reviews and audits, and automating security scanning.

“This repeated pattern of insecure credential management across multiple apps underscores the critical need for developers to prioritize security in the mobile app development lifecycle,” **said** a Symantec spokesperson.

For users, Symantec advises installing **reputable security software**, downloading apps only from trusted sources, keeping software updated, carefully reviewing app permissions, and regularly backing up important data. These precautions can help mitigate the risks associated with insecure apps while developers work to address these critical vulnerabilities.

1.  Google reveals spyware attack on Android, iOS, and Chrome
2.  Study: Android sends more data to Google than iOS to Apple
3.  Bluetooth Falw Enables Keystroke Injection on Android and iOS
4.  WiFi Flaws Allow Network Traffic Interception on iOS and Android
5.  Instagram iOS, Android app flaw allowed account access to hackers

Millions of iOS and Android Users at Risk as Popular Apps Expose Cloud Keys

Not long ago, the ability to remotely track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a powerful surveillance tool that should only be in the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites.

The Global Surveillance Free-for-All in Mobile Ad Data

WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns.

Wednesday, October 23, 2024 06:02

*   WarmCookie is a malware family that emerged in April 2024 and has been distributed via regularly conducted malspam and malvertising campaigns. 
*   WarmCookie, observed being used for initial access and persistence, offers a means for continuous long-term access to compromised environments and is used to facilitate delivery of additional malware such as CSharp-Streamer-RAT and Cobalt Strike. 
*   Post-compromise intrusion activity associated with WarmCookie overlaps with previously observed activity we attribute to TA866.  
*   We assess that WarmCookie was likely developed by the same threat actor(s) as Resident backdoor, a post-compromise implant previously deployed in intrusion activity that Cisco Talos attributes to TA866.  

**What is WarmCookie? **

WarmCookie, also known as BadSpace, is a malware family that has been distributed since at least April 2024. Throughout 2024, we have observed several distribution campaigns conducted using a variety of lure themes to entice victims to take actions that result in malware infection.  

These campaigns typically rely on malspam or malvertising to initiate the infection process that results in the delivery of WarmCookie. WarmCookie offers a variety of useful functionality for adversaries including payload deployment, file manipulation, command execution, screenshot collection and persistence, making it attractive to use on systems once initial access has been gained to facilitate longer-term, persistent access within compromised network environments.  

In previously analyzed intrusion activity involving WarmCookie, we have observed that it is used as an initial payload and that CSharp-Streamer-RAT and Cobalt Strike were delivered following the initial WarmCookie infection.  

While analyzing the campaigns, intrusion activity, and infrastructure associated with WarmCookie over the course of 2024, we also identified multiple overlaps with activity conducted by TA866 in 2023. 

**Typical infection chains **

As previously mentioned, we have observed WarmCookie campaigns being conducted since at least April 2024. These campaigns rely on malspam or malvertising to facilitate the delivery of malicious content.  

In the case of malspam, we have observed consistent use of invoice-related and job agency themes that entice victims to access hyperlinks present in either the email body, or within attached documents, such as PDFs.  

Examples of common message subjects observed in campaigns conducted between April and August 2024 are listed below. 

*   United Rentals Inc: Invoice# [0-9]{9}\-[0-9]{3} 
*   Invoice and Remittance

In a recent campaign conducted in August, the messages contained PDF attachments. The attachment filenames were randomized but typically use the following format. 

*   Attachment_[0-9]{3}\-[0-9]{3}\.pdf

While there have been variations over time, below is a representative example of one of these emails and the associated PDF attachment. 

__WarmCookie emails and attachments.__

The PDFs contain hyperlinks that direct victims to web servers hosting malicious JavaScript files that continue the infection process. 

We have also observed WarmCookie campaigns leveraging infrastructure associated with traffic distribution and malware delivery systems. In one early campaign, we observed the use of the LandUpdates808 cluster of infrastructure described here. In observed cases, malicious JavaScript downloaders were being hosted at the following paths on servers associated with the LandUpdates808 cluster of web servers. 

/wp-content/upgrade/update\[.\]php

Regardless of whether the delivery stage of the attack was conducted via malspam or malvertising, an obfuscated JavaScript downloader is delivered that is responsible for continuing the infection process. We have observed the use of ZIP archives to compress the JavaScript file and the delivery of the JavaScript file directly from the distribution infrastructure.  

When executed, it deobfuscates and executes a PowerShell command that uses Bitsadmin to retrieve and execute the WarmCookie DLL using syntax, like that shown below. 

__PowerShell execution.__

We have observed a relatively small number of distribution servers hosting WarmCookie DLLs compared to the infrastructure used in earlier stages of the infection chain.  

**WarmCookie **

The main WarmCookie payload has been extensively analyzed in prior reporting here and here. While performing this research, newly observed WarmCookie samples were reported on social media during September 2024. We observed significant additions and changes in this latest version that demonstrate the threat actor is continuing to improve their tooling.  

We observed changes to the way the malware is executed and how persistence is achieved on infected systems. As described in prior reporting, the malware is typically delivered and executed as a PE DLL or a PE EXE. If the payload is in the DLL format, it is typically executed with specific command-line parameters that determine whether persistence should be achieved.  

In previous WarmCookie samples the execution was consistent with the following: 

rundll32.exe <DLL\_Filename>,Start /p

In the latest samples analyzed, this command-line syntax has been modified as follows: 

rundll32.exe <DLL\_Filename>,Start /u

Additionally, the user agent used during C2 communications in previous WarmCookie samples featured extraneous spaces not consistent with normal user agent strings seen in the wild. This allowed for easy detection of WarmCookie C2 activity via network traffic inspection. In the latest WarmCookie samples, this mistake has been corrected. Below is a comparison between the old and new user agent strings used during C2 communications. 

Old User Agent: 

Mozilla / 4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.0.3705)

New User Agent: 

Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0

We also observed the inclusion of a new self-updating mechanism that would enable an attacker to dynamically deliver updates to WarmCookie via the C2 server, however, this functionality did not appear to be fully implemented in the analyzed sample at the time. 

In the latest sample, changes were made to the sandbox detection mechanism present in the malware where some checks present in previous versions have been removed. 

__WarmCookie sandbox detection.__

Several changes to the C2 commands supported by the malware have also been made in the latest WarmCookie samples analyzed. The command to remove persistence and the malware itself has been deleted. New commands have been added as follows: 

*   **Command 0x8:** Supports the creation of a DLL file received from the C2 server that is assigned a temporary filename and then executed by WarmCookie.   
*   **Command 0xA**: Appears to be a prepared update command, it is like Command 0x8, but adds hardcoded parameters to the DLL:    
    C:\Windows\System32\rundll32.exe <tmpfilename.dll> Start /update
*   **Command 0xB**: Supports moving the malware to a temporary file name and location and deletes the previously scheduled task. It prepends the string ‘dat’ to the temporary filename. It also exits the C2 loop, leading to termination of the malware process. 

During the malware’s initialization and startup phase, the /update parameter of the Command 0xA is checked to determine if the parameter was set. Regardless of the result of this check, the same function is executed, as shown below. 

WarmCookie update parameter. 

Analysis suggests that the malware will continue to evolve moving forward as the threat actor continues to improve on it and adds additional functionality as needed. 

**Links to past intrusion activity **

While analyzing the distribution campaigns, infrastructure used, and post-compromise intrusion activity associated with WarmCookie, we identified multiple overlaps with previously observed malicious activity.  

In earlier WarmCookie distribution campaigns, threat actors relied on lures that appear as if they were associated with talent/job search agencies. As mentioned here, the lure documents and landing pages associated with this campaign are like those used by distributors of Ursnif in past campaigns.  

While analyzing intrusion activity associated with WarmCookie, we observed the deployment of CSharp-Streamer-RAT as a follow-on payload following the initial system compromise. CSharp-Streamer-RAT is a full-featured remote access trojan that offers robust functionality as described here.  

In this case, the sample reached out to a C2 server that was configured to use an SSL certificate that appeared to have been programmatically generated with several fields randomly populated. Using Regular Expressions to identify other servers with similar SSL characteristics, we identified three additional C2 servers, all previously associated with CSharp-Streamer-RAT samples. One of these C2 servers was observed being used by a CSharp-Streamer-RAT sample we identified in a previous intrusion that we assess with high confidence was conducted by TA866.  

The screenshot below shows the relevant fields present within the SSL certificate associated with the CSharp-Streamer-RAT C2 server observed in previous intrusion activity we attribute to TA866.  

__Previous CSharp-Streamer-RAT C2 SSL certificate.__

Below is an example of one of the SSL certificates associated with the CSharp-Streamer-RAT C2 server observed in recent WarmCookie intrusion activity. 

__Recent CSharp-Streamer-RAT C2 SSL certificate.__

Based on analysis of the system involved in this prior intrusion activity, we assess with high confidence that TA866/Asylum Ambuscade deployed CSharp-Streamer-RAT while directly operating on the system leading up to, during, and after its deployment. In the recent WarmCookie case, we also assess with high confidence that the attacker who deployed WarmCookie also deployed CSharp-Streamer-RAT following the initial compromise.

**WarmCookie vs. Resident backdoor **

As referenced here, and in prior reporting, TA866/Asylum Ambuscade has been observed delivering a post-compromise implant called Resident backdoor in prior intrusion activity. Prior reporting on WarmCookie has alluded to observed links between Resident backdoor and WarmCookie.

We performed a code and function level analysis of Resident backdoor samples from previous intrusion activity and WarmCookie samples from September 2024 and observed several notable similarities in the way core functionality has been implemented across both malware families. WarmCookie appears to contain much of the same functionality as Resident backdoor but has been significantly extended to support additional functionality.  

We assess that both were likely developed by the same entity based on the following analysis findings: 

*   The RC4 implementation is consistent across both malware families. 
*   The RC4 string decryption function implementation is consistent across both malware families. 
*   Mutex management is performed consistently across both malware families. 
*   Both malware families use GUID-like strings for the mutex. 
*   The way in which various functions were constructed and the coding conventions used is consistent. 
*   The definition of scheduled tasks to achieve persistence is consistent. 
*   Both malware families wait one minute before executing the scheduled task. 
*   The directory, file schema and parameters are similar in both malware families.  
*   The initial startup logic and command line parameter implementation are similar. 

**Code similarity analysis **

We conducted a similarity analysis of the code execution flow between both Resident backdoor and a recent WarmCookie sample that was shared on social media. We observed consistent implementation of core functionality across both as well as consistent use of coding conventions across both malware families. 

**Task Scheduler implementation **

If the malware is initially executed without supplying any parameters, both Resident and WarmCookie first determine if the initially launched application was a PE DLL or an PE EXE. Depending on the result, they either create a filename with the extension “.dll" or “.exe". Also based on the results of this test, they both create a scheduled task via the Windows Task Scheduler, which spawns a copy of the malware after waiting for 60 seconds. In the case that the initially launched application was a PE DLL, rundll32.exe is used to launch the malware. In the case of a PE EXE file, it is executed directly.  

They both attempt this in the %ALLUSERSPROFILE% directory, if that fails, they try it again in %ALLDATA% directory. 

__WarmCookie startup parameters.__

__WarmCookie persistence mechanism.__

__Resident backdoor startup parameters.__

__Resident backdoor persistence mechanism.__

__Resident backdoor persistence mechanism (cont’d).__

The overall startup logic is also the same in both Resident backdoor and WarmCookie. At the beginning of the startup process both check to determine if the malware was executed with a command line switch. In the case of the Resident backdoor, it is ‘/p’; in the case of WarmCookie it is ‘/u’. This parameter tells the application whether it is the first instance of itself or if the running version is the former copied version, which was previously made persistent via the Task Scheduler. This prevents multiple scheduled tasks from being created once the malware has achieved persistence.  

__WarmCooke startup logic.__

__Resident backdoor startup logic.__

One slight difference is that Resident uses the hardcoded string ‘RtlUpd’ to generate the filename for the scheduled task, whereas WarmCookie uses a hardcoded list of company names and randomly selects one, as shown below: 

__WarmCookie filename list.__

Based on our analysis of Resident backdoor and WarmCookie, we assess that they were likely developed by the same entity. While there are significant overlaps in the code and functionality implementations across Resident backdoor and WarmCookie, WarmCookie contains significantly more robust functionality and command support compared to Resident backdoor. Additionally, while WarmCookie has typically been deployed as an initial access payload in intrusion activity we have analyzed, Resident backdoor was deployed post-compromise following the deployment of several other components such as WasabiSeed, Screenshotter and AHK Bot.  

Given the differences in functionality and where each is encountered in the attack lifecycle, we classify Resident and WarmCookie as separate malware families that have been developed by the same threat actor. 

**Coverage **

Ways our customers can detect and block this threat are listed below. 

 Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here. 

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks. 

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here. 

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat. 

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products. 

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here. 

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them. 

Additional protection with context to your specific environment and threat data are available from the Firewall Management Center. 

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network. 

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The following Snort rule(s) have been developed to detect activity associated with this malicious activity.  

*   Snort 2 SIDs: 64139, 64140, 64141, 64142, 64143, 64144, 64145, 64146, 64147, 64148, 64149, 64150, 64151, 64152, 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162. 
*   Snort 3 SIDs: 64153, 64154, 64155, 64156, 64157, 64158, 64159, 64160, 64161, 64162, 301044, 301045, 301046, 301047, 301048, 301049, 301050.  

The following ClamAV signatures have been developed to detect activity associated with this malicious activity.  

*   Js.Downloader.Agent-10022279-0  
*   Vbs.Downloader.Agent-10022291-0  
*   Win.Trojan.WasabiSeed-10022304-0  
*   Js.Trojan.Screenshotter-10022306-0  
*   Js.Trojan.Agent-10022307-0  
*   Win.Trojan.Lazy-10022308-0  
*   Win.Trojan.Screenshotter-10022309-0  
*   PUA.Win.Tool.NetPing-10022493-0  
*   Win.Malware.CobaltStrike-10022494-0  
*   PUA.Win.Tool.AutoHotKey-10022305-1  
*   PUA.Win.Tool.RemoteUtilities-9869515-0  
*   PUA.Win.Tool.AdFind-9962378-0   
*   Txt.Downloader.AHKBot-10024463-0  
*   Ps1.Malware.CobaltStrike-10024466-0  
*   Win.Infostealer.Rhadamanthys-10024467-0  
*   Txt.Infostealer.Rhadamanthys-10024468-0  
*   Win.Backdoor.Agent-10025011-0  
*   Vbs.Trojan.Screenshotter-10025015-0  
*   Win.Malware.Warmcookie-10036688-0 
*   Win.Malware.CSsharpStreamer-10036641-0 

**Indicators of Compromise **

Indicators of compromise associated with WarmCookie/BadSpace activity can be found in our GitHub repository here.

Threat Spotlight: WarmCookie/BadSpace

TA866 (also known as Asylum Ambuscade) is a threat actor that has been conducting intrusion operations since at least 2020.

Highlighting TA866/Asylum Ambuscade Activity Since 2021

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.
"Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is

Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.

"Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is not the case, and the attacker only seems to be capitalizing on LockBit's notoriety to further tighten the noose on their victims."

The ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate data exfiltration to the cloud, a sign that adversaries are increasingly weaponizing popular cloud service providers for malicious schemes.

The AWS account used in the campaign is presumed to be either their own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts have been suspended.

Trend Micro said it detected more than 30 samples with the AWS Access Key IDs and the Secret Access Keys embedded, signaling active development. The ransomware is capable of targeting both Windows and macOS systems.

It's not exactly known how the cross-platform ransomware is delivered to a target host, but once it's executed, it obtains the machine's universal unique identifier (UUID) and carries out a series of steps to generate the master key required for encrypting the files.

The initialization step is followed by the attacker enumerating the root directories and encrypting files matching a specified list of extensions, but not before exfiltrating them to AWS via S3 Transfer Acceleration (S3TA) for faster data transfer.

"After the encryption, the file is renamed according to the following format: <original file name>.<initialization vector>.abcd," the researchers said. "For instance, the file text.txt was renamed to text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd."

In the final stage, the ransomware changes the device's wallpaper to display an image that mentions LockBit 2.0 in a likely attempt to compel victims into paying up.

"Threat actors might also disguise their ransomware sample as another more publicly known variant, and it is not difficult to see why: the infamy of high-profile ransomware attacks further pressures victims into doing the attacker's bidding," the researchers said.

The development comes as Gen Digital released a decryptor for a Mallox ransomware variant that was spotted in the wild from January 2023 through February 2024 by taking advantage of a flaw in the cryptographic schema.

"Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant," researcher Ladislav Zezula said. "The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware."

It should be mentioned that an affiliate of the Mallox operation, also known as TargetCompany, has been discovered using a slightly modified version of the Kryptina ransomware – codenamed Mallox v1.0 – to breach Linux systems.

"The Kryptina-derived variants of Mallox are affiliate-specific and separate from other Linux variants of Mallox that have since emerged, an indication of how the ransomware landscape has evolved into a complex menagerie of cross-pollinated toolsets and non-linear codebases," SentinelOne researcher Jim Walter noted late last month.

Ransomware continues to be a major threat, with 1,255 attacks claimed in the third quarter of 2024, down from 1,325 in the previous quarter, according to Symantec's analysis of data pulled from ransomware leak sites.

Microsoft, in its Digital Defense Report for the one-year period from June 2023 to June 2024, said it observed a 2.75x increase year-over-year in human-operated ransomware-linked encounters, while the percentage of attacks reaching the actual encryption phase has decreased over the past two years by threefold.

Some of the major beneficiaries of LockBit's decline following an international law enforcement operation targeting its infrastructure in February 2024 have been RansomHub, Qilin (aka Agenda), and Akira, the last of which has shifted back to double extortion tactics after briefly flirting with data exfiltration and extortion attacks alone in early 2024.

"During this period, we began to see Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of their ESXi encryptor, iteratively building on the payload's functions while moving away from C++ and experimenting with different programming techniques," Talos said.

Attacks involving Akira have also leveraged compromised VPN credentials and newly disclosed security flaws to infiltrate networks, as well as escalate privileges and move laterally within compromised environments as part of efforts designed to establish a deeper foothold.

Some of the vulnerabilities exploited by Akira affiliates are listed below -

*   CVE-2020-3259
*   CVE-2023-20263
*   CVE-2023-20269
*   CVE-2023-27532
*   CVE-2023-48788
*   CVE-2024-37085
*   CVE-2024-40711, and
*   CVE-2024-40766

"Throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors," Talos researchers James Nutland and Michael Szeliga said.

"Akira may be transitioning from the use of the Rust-based Akira v2 variant and returning to previous TTPs using Windows and Linux encryptors written in C++."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Ransomware Gangs Use LockBit's Fame to Intimidate Victims in Latest Attacks

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-hhxg-rvc9-8726: camaleon_cms affected by cross site scripting

The ABB BMS/BAS controller suffers from an unauthenticated log information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose the webserver's log file containing system information running on the device.

ABB Cylon Aspect 3.08.01 (logCriticalLookup.php) Unauthenticated Log Disclosure

ABB Cylon Aspect 3.08.01 (throttledLog.php) Unauthenticated Log Disclosure

PRESS RELEASE

Kuala Lumpur, Malaysia – 22 Oct. 2024 –  SoftwareOne Holding AG, a leading global software and cloud solutions provider, has launched a SoftwareOne Cloud Competency Centre in collaboration with Amazon Web Services (AWS) in Kuala Lumpur, Malaysia. 

Serving businesses across Southeast Asia, this new centre will provide clients with local expertise and support in AWS cloud services, including generative artificial intelligence (AI) tools Amazon Bedrock, a fully managed service that provides a single API to access and utilise high-performing foundation model from leading AI companies, and Amazon Q, a generative AI-powered assistant for business and developers, to drive digital transformation. By establishing the SoftwareOne Cloud Competency Centre in Malaysia, SoftwareOne further expands its global delivery network across fast-growing technology markets to help local businesses innovate with the latest technology advancements. The SoftwareOne Cloud Competency Centre opening follows AWS’s own recent announcement of cloud infrastructure expansion in Malaysia.  

"As an AWS Premier Tier Services Partner, we are thrilled to continue our collaboration with AWS through the opening of our new SoftwareOne Cloud Competency Centre in Malaysia,” said David Tan, Regional Services Leader, APAC at SoftwareOne. "This is strategically aligned with AWS's commitment to Asia and will make SoftwareOne’s global expertise and resources readily accessible to local clients. Businesses of all types will be able to accelerate their digital journeys more efficiently, benefiting from on-the-ground support in cloud migration, application modernisation, end-user computing, and FinOps.” 

“AWS is committed to enabling global organisations across industries with the world’s most comprehensive and broadly adopted cloud, and AI technologies to innovate, scale, and achieve their business and digital transformation objectives with efficiency and resilience. The recent launch of our AWS Region in Malaysia deepens that resolve,” said Peter Murray, Country Manager, AWS Malaysia. “As a Premier Tier AWS Partner, SoftwareOne is well-positioned to help businesses adopt and optimise their AWS use. Establishing the SoftwareOne Cloud Competency Centre in Malaysia aligns our goals of expanding cloud accessibility and compliance capabilities locally for customers.” 

The SoftwareOne Cloud Competency Centre experts will guide clients in implementing the SoftwareOne Landing Zone for AWS, a comprehensive pre-configured and automated framework that provides a foundation for building a secure, multi-account AWS environment. Featuring cloud infrastructure, policies, and guardrails, including centrally managed services, it is designed to help organisations quickly set up a secure and scalable environment with a consistent set of AWS best practices.  

Leveraging industry-leading infrastructure as code tool Terraform, SoftwareOne’s Landing Zone for AWS gets clients up and running from a zero footprint to AWS workload deployment within days. It also helps clients improve the operational efficiency of their AWS environments with SoftwareOne’s ongoing management and expertise in implementing patching and updates. 

“Our cloud journey involves migrating and modernising complicated and legacy workloads with stringent timelines, and we need a partner who is agile, understands such complex environments and can work closely with our internal team,” said Daniel Anand, Head of Technology Infrastructure and Architecture, Sun Life Malaysia. “SoftwareOne is helping us implement best-in-class solutions tailored to our needs, ensuring a seamless transition to the cloud while maintaining compliance with us in building the detailed business case for board approval and aligning with Sun Life global cloud framework and compliance.” 

“The launch of the regional SoftwareOne Cloud Competency Centre demonstrates SoftwareOne’s continued dedication to empowering digital transformation globally,” said Sean Pope, Global Leader, SoftwareOne Centre of Excellence for AWS. “This Centre will be a cornerstone in our global portfolio development, enhancing our ability to deliver cutting-edge solutions and support to businesses in SEA. The innovations and best practices we establish here will also be pillars upon which to build, benefitting other regions by enhancing our global AWS service offerings.” 

For more information about the SoftwareOne Cloud Competency Centre in SEA and its support of digital transformation initiatives, please visit www.softwareone.com. 

About SoftwareOne  

SoftwareOne is a leading global software and cloud solutions provider that is redefining how organizations build, buy and manage everything in the cloud. By helping clients to migrate and modernize their workloads and applications – and in parallel, to navigate and optimize the resulting software and cloud changes – SoftwareOne unlocks the value of technology. The company’s ~9,300 employees are driven to deliver a portfolio of 7,500 software brands with sales and delivery capabilities in over 60 countries. Headquartered in Switzerland, SoftwareOne is listed on the SIX Swiss Exchange under the ticker symbol SWON. Visit us at www.softwareone.com.

SoftwareOne Launches Cloud Competency Centre in Malaysia

Without DMARC, campaigns remain highly susceptible to phishing, domain spoofing, and impersonation.

Source: Saphiens via Alamy Stock Photo

Nearly 75% of US Senate campaign websites are lacking when it comes to DMARC protections, otherwise known as Domain-based Message Authentication, Reporting, and Conformance safeguards.

DMARC tools are used to prevent phishing and spoofing attacks by ensuring that the domains from which emails are sent get authenticated.

Without these protections, campaign websites are left vulnerable to cyberattacks, a critical issue given that these campaigns are emailing voters, donors, and staff frequently.

This could lead to compromised voter information, donor data, strategic campaign plans, and other sensitive data, furthering a lack of public trust in US elections, an issue that has become increasingly prominent in the past few years. In 2016, Russian state actors tried to influence the presidential election by disrupting the election process and hacking emails. 

According to the study, conducted by Red Sift, campaigns will remain highly susceptible to phishing, domain spoofing, and impersonation attacks without DMARC, ultimately leading to slower campaign operations, leaks in confidential information, and worse.

The report calls for immediate prioritization of DMARC implementation across US Senate and presidential campaigns, and insuring that these implementations are properly configured.

**About the Author**

Tag

#web