CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday said there are no indications that the cyber attack targeting the Treasury Department impacted other federal agencies.

The agency said it's working closely with the Treasury Department and BeyondTrust to get a better understanding of the breach and mitigate its impacts.

"The security of federal systems and the data they protect is of critical importance to our national security," CISA said. "We are working aggressively to safeguard against any further impacts and will provide updates, as appropriate."

The latest statement comes a week after the Treasury Department said it was the victim of a "major cybersecurity incident" that allowed Chinese state-sponsored threat actors to remotely access some computers and unclassified documents.

The cyber attack, which came to light in early December 2024, involved a breach of BeyondTrust's systems that allowed the adversary to infiltrate some of the company's Remote Support SaaS instances by making use of a compromised Remote Support SaaS API key.

In an updated statement on January 6, 2025, BeyondTrust said "no new customers have been identified beyond those we have communicated with previously." China has denied allegations that it breached the U.S. Treasury Department.

Data shared by attack surface management company Censys shows that as many as 13,548 exposed BeyondTrust Remote Support and Privileged Remote Access instances have been observed online as of January 6.

Last week, the Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against a Chinese cybersecurity company, Integrity Technology Group, Incorporated, accusing it of lending infrastructure support to another hacking group called Flax Typhoon as part of a long-running campaign against U.S. critical infrastructure.

The attack against the Treasury is the latest in a wave of intrusions perpetrated by Chinese threat actors such as Volt Typhoon and Salt Typhoon targeting U.S. critical infrastructure and telecommunications networks, respectively.

The Wall Street Journal revealed that among the nine telecom companies breached by Salt Typhoon are Charter Communications, Consolidated Communications, and Windstream. Some of the other entities previously identified included AT&T, T-Mobile, Verizon, and Lumen Technologies.

In a new report published today, Bloomberg said the Chinese state-sponsored threat group dubbed APT41 penetrated the executive branch of the Philippines government and siphoned sensitive data related to disputes over the South China Sea as part of a yearslong campaign from early 2023 to June 2024.

China Ramps Up Cyber Attacks on Taiwan

The developments also follow a report from Taiwan's National Security Bureau (NSB), warning of increasing sophistication of cyber attacks orchestrated by China against the country. A total of 906 cases of cyber incidents have been registered against government and private sector entities in 2024, up from 752 in 2023.

The modus operandi entails typically exploiting vulnerabilities in Netcom devices and utilizing living-off-the-land (LotL) techniques to establish footholds, evade detection, and deploy malware for follow-on attacks and data theft. Alternative attack chains involve sending spear-phishing emails to Taiwanese civil servants.

Other widely observed Chinese attacks against Taiwanese targets are listed below -

• Distributed denial-of-service (DDoS) attacks on transportation and financial sectors coinciding with military drills by the People's Liberation Army (PLA)
• Ransomware attacks on the manufacturing sector
• Targeting high-tech startups to steal patented technologies
• Theft of personal data of Taiwanese nationals to sell them on underground cybercrime forums.
• Criticism of Taiwan's cybersecurity capabilities on social media platforms to erode confidence in the government

"Attacking the communications field, mainly telecommunications industry, has grown by 650%, and attacking the fields of transportation and defense supply chain have grown by 70% and 57%, respectively," the NSB said.

"By applying diverse hacking techniques, China has conducted reconnaissance, set cyber ambushes, and stolen data through hacking operations targeting Taiwan's government, critical infrastructure, and key private enterprises."

The NSB has also called out China for conducting influence operations against Taiwan, conducting disinformation campaigns seeking to undermine public confidence in the government and heighten social divisions via social media platforms like Facebook and X.

Notable among the tactics is the extensive use of inauthentic accounts to flood comment sections on social media platforms used by Taiwanese people to disseminate manipulated videos and meme images. Malicious cyber activities have also been found to hijack Taiwanese users' social media accounts to spread disinformation.

"China has been using Deepfake technology to fabricate video clips of Taiwanese political figures' speeches, attempting to mislead the Taiwanese public's perception and understanding," the NSB said.

"In particular, China actively establishes convergence media brands or proxy accounts on platforms such as Weibo, TikTok, and Instagram, working to spread official media content and Taiwan-focused propaganda."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/MZ9lH4Q
via IFTTT

Moxa Alerts Users to High-Severity Vulnerabilities in Cellular and Secure Routers

Jan 07, 2025Ravie LakshmananVulnerability / Network Security

Taiwan-based Moxa has warned of two security vulnerabilities impacting its cellular routers, secure routers, and network security appliances that could allow privilege escalation and command execution.

The list of vulnerabilities is as follows -

• CVE-2024-9138 (CVSS 4.0 score: 8.6) - A hard-coded credentials vulnerability that could allow an authenticated user to escalate privileges and gain root-level access to the system, leading to system compromise, unauthorized modifications, data exposure, or service disruption
• CVE-2024-9140 (CVSS 4.0 score: 9.3) - A vulnerability allows attackers to exploit special characters to bypass input restrictions, potentially leading to unauthorized command execution

The shortcomings, reported by security researcher Lars Haulin, affect the below products and firmware versions -

• CVE-2024-9138 - EDR-810 Series (Firmware version 5.12.37 and earlier), EDR-8010 Series (Firmware version 3.13.1 and earlier), EDR-G902 Series (Firmware version 5.7.25 and earlier), EDR-G902 Series (Firmware version 5.7.25 and earlier), EDR-G9004 Series (Firmware version 3.13.1 and earlier), EDR-G9010 Series (Firmware version 3.13.1 and earlier), EDF-G1002-BP Series (Firmware version 3.13.1 and earlier), NAT-102 Series (Firmware version 1.0.5 and earlier), OnCell G4302-LTE4 Series (Firmware version 3.13 and earlier), and TN-4900 Series (Firmware version 3.13 and earlier)
• CVE-2024-9140 - EDR-8010 Series (Firmware version 3.13.1 and earlier), EDR-G9004 Series (Firmware version 3.13.1 and earlier), EDR-G9010 Series (Firmware version 3.13.1 and earlier), EDF-G1002-BP Series (Firmware version 3.13.1 and earlier), NAT-102 Series (Firmware version 1.0.5 and earlier), OnCell G4302-LTE4 Series (Firmware version 3.13 and earlier), and TN-4900 Series (Firmware version 3.13 and earlier)

Patches have been made available for the following versions -

• EDR-810 Series (Upgrade to the firmware version 3.14 or later)
• EDR-8010 Series (Upgrade to the firmware version 3.14 or later)
• EDR-G902 Series (Upgrade to the firmware version 3.14 or later)
• EDR-G903 Series (Upgrade to the firmware version 3.14 or later)
• EDR-G9004 Series (Upgrade to the firmware version 3.14 or later)
• EDR-G9010 Series (Upgrade to the firmware version 3.14 or later)
• EDF-G1002-BP Series (Upgrade to the firmware version 3.14 or later)
• NAT-102 Series (No official patch available)
• OnCell G4302-LTE4 Series (Please contact Moxa Technical Support)
• TN-4900 Series (Please contact Moxa Technical Support)

As mitigations, it's recommended to ensure that devices are not exposed to the internet, limit SSH access to trusted IP addresses and networks using firewall rules or TCP wrappers, and implement measures to detect and prevent exploitation attempts.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/pw4zEnk
via IFTTT

India Proposes Digital Data Rules with Tough Penalties and Cybersecurity Requirements

Jan 06, 2025Ravie LakshmananRegulatory Compliance / Data Privacy

The Indian government has published a draft version of the Digital Personal Data Protection (DPDP) Rules for public consultation.

"Data fiduciaries must provide clear and accessible information about how personal data is processed, enabling informed consent," India's Press Information Bureau (PIB) said in a statement released Sunday.

"Citizens are empowered with rights to demand data erasure, appoint digital nominees, and access user-friendly mechanisms to manage their data."

The rules, which seek to operationalize the Digital Personal Data Protection Act, 2023, also give citizens greater control over their data, providing them with options for giving informed consent to processing their information, as well as the right to erase with digital platforms and address grievances.

Companies operating in India are further required to implement security measures, such as encryption, access control, and data backups, to safeguard personal data, and ensure its confidentiality, integrity, and availability.

Some of the other notable provisions of the DPDP Act that data fiduciaries are expected to comply are listed below -

• Implement mechanisms for detecting and addressing breaches and maintenance of logs
• In the event of a data breach, provide detailed information about the sequence of events that led to the incident, actions taken to mitigate the threat, and the identity of the individual(s), if known, within 72 hours (or more, if permitted) to the Data Protection Board (DPB)
• Delete personal data no longer needed after a three-year period and notify individuals 48 hours before erasing such information
• Clearly display on their websites/apps the contact details of a designated Data Protection Officer (DPO) who is responsible for addressing any questions regarding users' processing of personal data
• Obtain verifiable consent from parents or legal guardians prior to processing the personal data of children under 18 or persons with disabilities (exemptions include healthcare professionals, educational institutions, and childcare providers, but only restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking)
• Conduct a Data Protection Impact Assessment (DPIA) and a comprehensive audit once every year, and report the results to DPB (limited to only data fiduciaries deemed "significant")
• Adhere to requirements the federal government sets when it comes to cross-border data transfers (the exact categories of personal data that must remain within India's borders will be determined by a specialized committee)

The draft rules have also proposed certain safeguards for citizens when their data is being processed by federal and state government agencies, requiring that such processing happen in a manner that's lawful, transparent, and "in line with legal and

policy standards."

Organizations that misuse or fail to safeguard individuals' digital data or notify the DPB of a security breach can face monetary penalties of up to ₹250 crore (nearly $30 million).

The Ministry of Electronics and Information Technology (MeitY) is soliciting feedback from the public on the draft regulations until February 18, 2025. It also said the submissions will not be disclosed to any party.

The DPDP Act was formally passed in August 2023 after being reworked several times since 2018. The data protection regulation came forth in the wake of a 2017 ruling from India's top court which reaffirmed the right to privacy as a fundamental right under the Constitution of India.

The development comes over a month after the Department of Telecommunications issued the Telecommunications (Telecom Cyber Security) Rules, 2024, under the Telecommunications Act, 2023, to secure communication networks and impose stringent data breach disclosure guidelines.

According to the new rules, a telecom entity must report any security incident affecting its network or services to the federal government within six hours of becoming aware of it, with the affected company also sharing additional relevant information within 24 hours.

In addition, telecommunication companies are required to appoint a Chief Telecommunication Security Officer (CTSO) who must be an Indian citizen and a resident of India, and share traffic data – excluding message content – with the federal government in a specified format for "protecting and ensuring telecom cybersecurity."

However, the Internet Freedom Foundation (IFF) said the "overbroad phrasing" and the removal of the definition of "traffic data" from the draft could open the door for misuse.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/u70dPQY
via IFTTT

Coming soon: AI Summaries in Alerts!

In October, we released Security Onion 2.4.110 and it included a new AI Summary feature in our Detections interface:

https://blog.securityonion.net/2024/10/security-onion-24110-hurricane-helene.html

Over the last few months, we've continued to iterate on that AI Summary feature to make it available in the Alerts interface without having to pivot to Detections!

This will be included in Security Onion 2.4.120 which is coming soon!

from Security Onion https://ift.tt/jNGXKB2
via IFTTT

FireScam Android Malware Poses as Telegram Premium to Steal Data and Control Devices

Jan 06, 2025Ravie LakshmananMalware / Mobile Security

An Android information stealing malware named FireScam has been found masquerading as a premium version of the Telegram messaging app to steal data and maintain persistent remote control over compromised devices.

"Disguised as a fake 'Telegram Premium' app, it is distributed through a GitHub.io-hosted phishing site that impersonates RuStore – a popular app store in the Russian Federation," Cyfirma said, describing it as a "sophisticated and multifaceted threat."

"The malware employs a multi-stage infection process, starting with a dropper APK, and performs extensive surveillance activities once installed."

The phishing site in question, rustore-apk.github[.]io, mimics RuStore, an app store launched by Russian tech giant VK in the country, and is designed to deliver a dropper APK file ("GetAppsRu.apk").

Once installed, the dropper acts as a delivery vehicle for the main payload, which is responsible for exfiltrating sensitive data, including notifications, messages, and other app data, to a Firebase Realtime Database endpoint.

The dropper app requests several permissions, including the ability to write to external storage and install, update, or delete arbitrary apps on infected Android devices running Android 8 and later.

"The ENFORCE_UPDATE_OWNERSHIP permission restricts app updates to the app's designated owner. The initial installer of an app can declare itself the 'update owner,' thereby controlling updates to the app," Cyfirma noted.

"This mechanism ensures that update attempts by other installers require user approval before proceeding. By designating itself as the update owner, a malicious app can prevent legitimate updates from other sources, thereby maintaining its persistence on the device."

FireScam employs various obfuscation and anti-analysis techniques to evade detection. It also keeps tabs on incoming notifications, screen state changes, e-commerce transactions, clipboard content, and user activity to gather information of interest. Another notable function is its ability to download and process image data from a specified URL.

The rogue Telegram Premium app, when launched, further seeks users' permission to access contact lists, call logs, and SMS messages, after which a login page for the legitimate Telegram website is displayed through a WebView to steal the credentials. The data gathering process is initiated regardless of whether the victim logs in or not.

Lastly, it registers a service to receive Firebase Cloud Messaging (FCM) notifications, allowing it to receive remote commands and maintain covert access – a sign of the malware's broad monitoring capabilities. The malware also simultaneously establishes a WebSocket connection with its command-and-control (C2) server for data exfiltration and follow-on activities.

Cyfirma said the phishing domain also hosted another malicious artifact named CDEK, which is likely a reference to a Russia-based package and delivery tracking service. However, the cybersecurity company said it was unable to obtain the artifact at the time of analysis.

It's currently not clear who the operators are, or how users are directed to these links, and if it involves SMS phishing or malvertising techniques.

"By mimicking legitimate platforms such as the RuStore app store, these malicious websites exploit user trust to deceive individuals into downloading and installing fake applications," Cyfirma said.

"FireScam carries out its malicious activities, including data exfiltration and surveillance, further demonstrating the effectiveness of phishing-based distribution methods in infecting devices and evading detection."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/DIKEXHG
via IFTTT

Russian-Speaking Attackers Target Ethereum Devs with Fake Hardhat npm Packages

Jan 06, 2025Ravie LakshmananBlockchain / Malware

Cybersecurity researchers have revealed several malicious packages on the npm registry that have been found impersonating the Nomic Foundation's Hardhat tool in order to steal sensitive data from developer systems.

"By exploiting trust in open source plugins, attackers have infiltrated these platforms through malicious npm packages, exfiltrating critical data such as private keys, mnemonics, and configuration details," the Socket research team said in an analysis.

Hardhat is a development environment for Ethereum software, incorporating various components for editing, compiling, debugging and deploying smart contracts and decentralized apps (dApps).

The list of identified counterfeit packages is as follows -

• nomicsfoundations
• @nomisfoundation/hardhat-configure
• installedpackagepublish
• @nomisfoundation/hardhat-config
• @monicfoundation/hardhat-config
• @nomicsfoundation/sdk-test
• @nomicsfoundation/hardhat-config
• @nomicsfoundation/web3-sdk
• @nomicsfoundation/sdk-test1
• @nomicfoundations/hardhat-config
• crypto-nodes-validator
• solana-validator
• node-validators
• hardhat-deploy-others
• hardhat-gas-optimizer
• solidity-comments-extractors

Of these packages, @nomicsfoundation/sdk-test has attracted 1,092 downloads. It was published over a year ago in October 2023. Once installed, they are designed to harvest mnemonic phrases and private keys from the Hardhat environment, following which they are exfiltrated to an attacker-controlled server.

"The attack begins when compromised packages are installed. These packages exploit the Hardhat runtime environment using functions such as hreInit() and hreConfig() to collect sensitive details like private keys, mnemonics, and configuration files," the company said.

"The collected data is transmitted to attacker-controlled endpoints, leveraging hardcoded keys and Ethereum addresses for streamlined exfiltration."

The disclosure comes days after the discovery of another malicious npm package named ethereumvulncontracthandler that masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but instead harbored functionality to drop the Quasar RAT malware.

In recent months, malicious npm packages have also been observed using Ethereum smart contracts for command-and-control (C2) server address distribution, co-opting infected machines into a blockchain-powered botnet called MisakaNetwork. The campaign has been tracked back to a Russian-speaking threat actor named "_lain."

"The threat actor points out an inherent npm ecosystem complexity, where packages often rely on numerous dependencies, creating a complex 'nesting doll' structure," Socket said.

"This dependency chain makes comprehensive security reviews challenging and opens opportunities for attackers to introduce malicious code. _lain admits to exploiting this complexity and dependency sprawl in npm ecosystems, knowing that it is impractical for developers to scrutinize every single package and dependency."

That's not all. A set of phony libraries uncovered across the npm, PyPI, and RubyGems ecosystems have been found leveraging out-of-band application security testing (OAST) tools such as oastify.com and oast.fun to exfiltrate sensitive data to attacker-controlled servers.

The names of the packages are as follows -

• adobe-dcapi-web (npm), which avoids compromising Windows, Linux, and macOS endpoints located in Russia and comes with capabilities to collect system information
• monoliht (PyPI), which collects system metadata
• chauuuyhhn, nosvemosssadfsd, holaaaaaafasdf (RubyGems), which contain embedded scripts designed to transfer sensitive information via DNS queries to an oastify.com endpoint

"The same tools and techniques created for ethical security assessments are being misused by threat actors," Socket researcher Kirill Boychenko said. "Originally intended to uncover vulnerabilities in web applications, OAST methods are increasingly exploited to steal data, establish command and control (C2) channels, and execute multi-stage attacks."

To mitigate the supply chain risks posed by such packages, it's recommended that software developers verify package authenticity, exercise caution when typing package names, and inspect the source code before installation.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/6pGYAHd
via IFTTT

The Cloudcast #886 - Reflections, Resolutions and Beginning 2025

As a new year is upon us, let's make a checklist of the most important areas to focus upon to make Q1 successful and set up the rest of 2025 for success. 

SHOW: 886

SHOW TRANSCRIPT: The Cloudcast #886 Transcript

SHOW VIDEO: https://youtube.com/@TheCloudcastNET 

CLOUD NEWS OF THE WEEK: http://bit.ly/cloudcast-cnotw

CHECK OUT OUR NEW PODCAST: "CLOUDCAST BASICS"

SHOW NOTES:

SOME TIPS, TRICKS, SUGGESTIONS AND REFLECTIONS AS WE BEGIN YET ANOTHER YEAR

• General Stuff - Get rid of clutter, set goals, 
• Health - Make it a daily priority (schedule it, between meetings, every little bit helps)
• Budgets - What can you do if they aren’t finalized?
• Skills - If you aren’t growing, you’re regressing. What are you going to focus on?
• Prioritization - Do you understand them in your company, your group, and you personally?
• Networking - Are you aligned to the power centers in your business?
• Justifications - Where are costs and ROI going to be the most scrutinized in your company? 
• Understand the Game - How is technology impacting your business/role? How is your industry changing?

FEEDBACK?

• Email: show at the cloudcast dot net
• Twitter/X: @cloudcastpod
• BlueSky: @cloudcastpod.bsky.social
• Instagram: @cloudcastpod
• TikTok: @cloudcastpod

from The Cloudcast (.NET) https://ift.tt/MfTgIQx
via IFTTT

Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution

Jan 04, 2025Ravie LakshmananVulnerability / Software Security

A high-severity security flaw has been disclosed in ProjectDiscovery's Nuclei, a widely-used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code.

Tracked as CVE-2024-43405, it carries a CVSS score of 7.4 out of a maximum of 10.0. It impacts all versions of Nuclei later than 3.0.0.

"The vulnerability stems from a discrepancy between how the signature verification process and the YAML parser handle newline characters, combined with the way multiple signatures are processed," according to a description of the vulnerability.

"This allows an attacker to inject malicious content into a template while maintaining a valid signature for the benign part of the template."

Nuclei is a vulnerability scanner designed to probe modern applications, infrastructure, cloud platforms, and networks to identify security flaws. The scanning engine makes use of templates, which are nothing but YAML files, to send specific requests in order to determine the presence of a flaw.

Furthermore, it can enable the execution of external code on the host operating system using the code protocol, thereby giving researchers more flexibility over security testing workflows.

Cloud security firm Wiz, which discovered CVE-2024-43405, said the vulnerability is rooted in the template signature verification process, which is used to ensure the integrity of the templates made available in the official templates repository.

Successful exploitation of the vulnerability is a bypass of this crucial verification step, allowing attackers to craft malicious templates that can execute arbitrary code and access sensitive data from the host.

"Since this signature verification is currently the only method available for validating Nuclei templates, it represents a potential single point of failure," Wiz researcher Guy Goldenberg said in a Friday analysis.

At its core, the problem stems from the use of regular expressions (aka regex) for signature validation and the parsing conflict arising as a result of using both regex and YAML parser, thus opening the door to a scenario where an attacker can introduce a "\r" character such that it sidesteps the regex-based signature verification and gets interpreted as a line break by the YAML parser.

Put differently, these parsing inconsistencies could be chained to create a Nuclei template that uses "\r" to include a second "# digest:" line that evades the signature verification process but gets parsed and executed by the YAML interpreter.

"Go's regex-based signature verification treats \\r as part of the same line, while the YAML parser interprets it as a line break. This mismatch allows attackers to inject content that bypasses verification but is executed by the YAML parser," Goldenberg explained.

"The verification logic validates only the first # digest: line. Additional # digest: lines are ignored during verification but remain in the content to be parsed and executed by YAML."

Furthermore, the verification process includes a step to exclude the signature line from the template content, but does so in a manner that only the first line is validated, thus leaving the subsequent lines unverified but executable.

Following responsible disclosure, it was addressed by ProjectDiscovery on September 4, 2024, with version 3.3.2. The current version of Nuclei is 3.3.7.

"Attackers could craft malicious templates containing manipulated # digest lines or carefully placed \r line breaks to bypass Nuclei's signature verification," Goldenberg said.

"An attack vector for this vulnerability arises when organizations run untrusted or community-contributed templates without proper validation or isolation. An attacker could exploit this functionality to inject malicious templates, leading to arbitrary command execution, data exfiltration, or system compromise."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/Gcm9JPW
via IFTTT

PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

Jan 04, 2025Ravie LakshmananMalware / VPN Security

Cybersecurity researchers have flagged a new malware called PLAYFULGHOST that comes with a wide range of information-gathering features like keylogging, screen capture, audio capture, remote shell, and file transfer/execution.

The backdoor, according to Google's Managed Defense team, shares functional overlaps with a known remote administration tool referred to as Gh0st RAT, which had its source code publicly leaked in 2008.

PLAYFULGHOST's initial access pathways include the use of phishing emails bearing code of conduct-related lures or search engine optimization (SEO) poisoning techniques to distribute trojanized versions of legitimate VPN apps like LetsVPN.

"In one phishing case, the infection begins by tricking the victim into opening a malicious RAR archive disguised as an image file by using a .jpg extension," the company said. "When extracted and executed by the victim, the archive drops a malicious Windows executable, which eventually downloads and executes PLAYFULGHOST from a remote server."

Attack chains employing SEO poisoning, on the other hand, seek to deceive unsuspecting users into downloading a malware-laced installer for LetsVPN, which, when launched, drops an interim payload responsible for retrieving the backdoor components.

The infection is notable for leveraging methods such as DLL search order hijacking and side-loading to launch a malicious DLL that's then used to decrypt and load PLAYFULGHOST into memory.

Mandiant said it also observed a "more sophisticated execution scenario" wherein a Windows shortcut ("QQLaunch.lnk") file, combines the contents of two other files named "h" and "t" to construct the rogue DLL and sideload it using a renamed version of "curl.exe."

PLAYFULGHOST is capable of setting up persistence on the host using four different methods: Run registry key, scheduled task, Windows Startup folder, and Windows service. It boasts an extensive set of features that allow it to gather extensive data, including keystrokes, screenshots, audio, QQ account information, installed security products, clipboard content, and system metadata.

It also comes with capabilities to drop more payloads, block mouse and keyboard input, clear Windows event logs, wipe clipboard data, perform file operations, delete caches and profiles associated with web browsers like Sogou, QQ, 360 Safety, Firefox, and Google Chrome, and erase profiles and local storage for messaging applications such as Skype, Telegram, and QQ.

Some of the other tools deployed via PLAYFULGHOST are Mimikatz and a rootkit that's capable of hiding registry, files, and processes specified by the threat actor. Also dropped along with the download of PLAYFULGHOST components is an open-source utility called Terminator that can kill security processes by means of a Bring Your Own Vulnerable Driver (BYOVD) attack.

"On one occasion, Mandiant observed a PLAYFULGHOST payload being embedded within BOOSTWAVE," the tech giant said. "BOOSTWAVE is a shellcode that acts as in-memory dropper for an appended Portable Executable (PE) payload."

The targeting of applications like Sogou, QQ, and 360 Safety and the use of LetsVPN lures raise the possibility that these infections are targeting Chinese-speaking Windows users. In July 2024, Canadian cybersecurity vendor eSentire revealed a similar campaign that leveraged fake installers for Google Chrome to propagate Gh0st RAT using a dropper dubbed Gh0stGambit.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/6A14FEa
via IFTTT

U.S. Treasury Sanctions Beijing Cybersecurity Firm for State-Backed Hacking Campaigns

Jan 04, 2025Ravie LakshmananCyber Espionage / IoT Botnet

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday issued sanctions against a Beijing-based cybersecurity company known as Integrity Technology Group, Incorporated for orchestrating several cyber attacks against U.S. victims.

These attacks have been publicly attributed to a Chinese state-sponsored threat actor tracked as Flax Typhoon (aka Ethereal Panda or RedJuliett), which was outed last year as operating an Internet of Things (IoT) botnet called Raptor Train.

The hacking crew has been active since at least mid-2021, targeting various entities across North America, Europe, Africa, and across Asia. Attacks mounted by Flax Typhoon have typically leveraged known vulnerabilities to gain initial access to victims' computers and then make use of legitimate remote access software to maintain persistent access.

The Treasury Department described Chinese malicious cyber actors as one of the "most active and most persistent threats to U.S. national security," repeatedly targeting U.S. government systems, including those associated with the federal agency.

"The Treasury Department will not hesitate to hold malicious cyber actors and their enablers accountable for their actions," said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. "The United States will use all available tools to disrupt these threats as we continue working collaboratively to harden public and private sector cyber defenses."

Integrity Group, also known as Yongxin Zhicheng, has been accused of providing infrastructure support to Flax Typhoon cyber campaigns between mid-2022 and late-2023, with the U.S. Department of State classifying it as a government contractor with ties to the People's Republic of China (PRC) Ministry of State Security. It was established in September 2010.

"It provides services to country and municipal State Security and Public Security Bureaus, as well as other PRC cybersecurity government contractors," the State Department noted.

"'Flax Typhoon' hackers have successfully targeted multiple U.S. and foreign corporations, universities, government agencies, telecommunications providers, and media organizations."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/WrZA4jl
via IFTTT

The Good, the Bad and the Ugly in Cybersecurity – Week 1

The Good | HIPAA to Update Security Rules and Feds Sanction Disinformation Campaign Operators

Cyberattacks on healthcare systems put patients at critical risk, disrupting urgent medical services or treatments as well as exposing highly sensitive data. Given the increased surge in healthcare data leaks and attacks, the U.S. Department of Health and Human Services (HHS) has proposed a series of updates to HIPAA.

These rules are expected to be published within 60 days and would require healthcare providers to encrypt patient data, adopt MFA, and implement network segmentation to limit attacker movement should a breach occur.

Statements from the White House note that this is the first major update to HIPAA’s security rule since 2013 and is designed to address the fast, upwards tick of hacking and ransomware on the healthcare industry seen in recent years. Though implementation costs are projected to reach $9 billion in the first year, experts stress the much higher cost of inaction, reaffirming that protecting critical infrastructure and preventing data and service disruptions must remain a priority.

The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned two organizations from Iran and Russia this week for intefering in the recent U.S. presidential election via disinformation campaigns. The latest sanctions on Iran’s Cognitive Design Production Center (CDPC), linked to the IRGC, and Russia’s Center for Geopolitical Expertise (CGE), tied to the GRU, build on top of sanctions previously imposed for stoking sociopolitical tensions amongst U.S. audiences.

This action follows broader federal efforts to fight back against foreign cyberattacks and influence campaigns, including outstanding criminal charges against Iranian and Russian operatives targeting sensitive government data and democratic processes.

The Bad | Rhode Islanders’ Stolen Data Appears on Dark Web After Brain Cipher Attack

Ransomware gang, Brain Cipher, has begun leaking sensitive data stolen from Rhode Island’s RIBridges social services platform earlier in December.

The integrated system, which managed healthcare, social services, and food assistance programs, served some 650,000 citizens including minors, before being taken offline. Exposed information was confirmed by Governor McKee to contain names, addresses, birthdates, social security numbers, and banking details. Screenshots also suggest that the stolen files include Oracle databases and system backups.

The ransomware group Brain Cipher has released the breach data from the @Deloitte RIBridges hack, containing PII of not just adults but minors. #BrainCipher #RIBridges #CyberSecurity pic.twitter.com/daedFifmZE

— Connor Goodwolf (@cgoodwolf) December 30, 2024

While IT teams are investigating the breach, state officials are urging Rhode Islanders to protect themselves by freezing their critical accounts, activating MFA where possible, monitoring changes to credit charges, and watching for signs of phishing scams that exploit the stolen personally identifiable information (PII).

Brain Cipher has been active since June 2024, primarily engaging in multi-pronged extortion using a ransomware encryptor and a data leak site (DLS). The encryptor itself is derived from the leaked LockBit 3.0 builder. Currently, the DLS is offline, possibly due to a distributed-denial-of-service (DDoS) attack, but the Brain Cipher TOR-based negotiation page remains operational. The ransomware gang has historically targeted multiple critical industries, including entities in the medical, educational, and manufacturing fields.

Six months ago, Brain Cipher gained notoriety for targeting Indonesia’s temporary National Data Center (PDNS), designed to securely store government servers for online services and host sensitive data. The attack caused major disruptions to core immigration, passport control, and event permitting services across over 200 government agencies.

As of this writing, the state has begun the process of multi-stage restoration and aims to have databases back online by mid-January while indicating that food assistance and health insurance benefits will not be delayed by the attack.

The Ugly | 185 New Flaws Added to CISA’s KEV Catalog in 2024

Across 2024, CISA added 185 new entries to its catalog of Known Exploited Vulnerabilities (KEV), bringing the total to 1,238 actively exploited flaws in both software and hardware.

First established in November 2021, CISA’s Known Exploited Vulnerabilities (KEV) Catalog is an authoritative source on flaws that have been exploited in the wild. Inputs in the KEV allow the cyberdefense community and vendors to efficiently identify and mitigate high and critical-risk vulnerabilities and prioritize their management processes.

A threat group exploited systems run by CISA via vulnerabilities in Ivanti products (Source: DHS)

Of the year’s worth of additions, 115 entries represent recent vulnerabilities while 60 to 70 are older ones, emphasizing that even long-known flaws remain exploitable and dangerous. Notably, CVE-2002-0367 from 2002, capturing a debugging subsystem in Windows NT and Windows 2000 flaw that allows local users to gain admin or SYSTEM privileges, continues to be exploited, alongside CVE-2012-4792, a remote code execution (RCE) flaw from 2012 that affects Microsoft Internet Explorer 6 through 8.

Adding to this, OS Command Injection (CWE-78) (where attackers can inject malicious commands leading to unauthorized control), Deserialization of Untrusted Data (CWE-502) (where attackers exploit improperly handled data leading to RCE), and Use-After-Free (CWE-416) (where programs re-use memory that has already been freed) flaw types were most common, highlighting the continued risks of unauthorized access and code execution.

Of the entries from 2024, Microsoft led the list of vendors affected with 36 vulnerabilities added, a number that reflects how attackers weaponize its widespread presence in global cloud platforms, enterprise systems, and software products. Ivanti followed with 11 entries, including a critical flaw exploited in a breach of CISA itself. Other major vendors such as Google Chromium, Adobe, and Apple also faced multiple vulnerabilities.

from SentinelOne https://ift.tt/jEBZvQ8
via IFTTT

New AI Jailbreak Method 'Bad Likert Judge' Boosts Attack Success Rates by Over 60%

Jan 03, 2025Ravie LakshmananMachine Learning / Vulnerability

Cybersecurity researchers have shed light on a new jailbreak technique that could be used to get past a large language model's (LLM) safety guardrails and produce potentially harmful or malicious responses.

The multi-turn (aka many-shot) attack strategy has been codenamed Bad Likert Judge by Palo Alto Networks Unit 42 researchers Yongzhe Huang, Yang Ji, Wenjun Hu, Jay Chen, Akshata Rao, and Danny Tsechansky.

"The technique asks the target LLM to act as a judge scoring the harmfulness of a given response using the Likert scale, a rating scale measuring a respondent's agreement or disagreement with a statement," the Unit 42 team said.

"It then asks the LLM to generate responses that contain examples that align with the scales. The example that has the highest Likert scale can potentially contain the harmful content."

The explosion in popularity of artificial intelligence in recent years has also led to a new class of security exploits called prompt injection that is expressly designed to cause a machine learning model to ignore its intended behavior by passing specially crafted instructions (i.e., prompts).

One specific type of prompt injection is an attack method dubbed many-shot jailbreaking, which leverages the LLM's long context window and attention to craft a series of prompts that gradually nudge the LLM to produce a malicious response without triggering its internal protections. Some examples of this technique include Crescendo and Deceptive Delight.

The latest approach demonstrated by Unit 42 entails employing the LLM as a judge to assess the harmfulness of a given response using the Likert psychometric scale, and then asking the model to provide different responses corresponding to the various scores.

In tests conducted across a wide range of categories against six state-of-the-art text-generation LLMs from Amazon Web Services, Google, Meta, Microsoft, OpenAI, and NVIDIA revealed that the technique can increase the attack success rate (ASR) by more than 60% compared to plain attack prompts on average.

These categories include hate, harassment, self-harm, sexual content, indiscriminate weapons, illegal activities, malware generation, and system prompt leakage.

"By leveraging the LLM's understanding of harmful content and its ability to evaluate responses, this technique can significantly increase the chances of successfully bypassing the model's safety guardrails," the researchers said.

"The results show that content filters can reduce the ASR by an average of 89.2 percentage points across all tested models. This indicates the critical role of implementing comprehensive content filtering as a best practice when deploying LLMs in real-world applications."

The development comes days after a report from The Guardian revealed that OpenAI's ChatGPT search tool could be deceived into generating completely misleading summaries by asking it to summarize web pages that contain hidden content.

"These techniques can be used maliciously, for example to cause ChatGPT to return a positive assessment of a product despite negative reviews on the same page," the U.K. newspaper said.

"The simple inclusion of hidden text by third-parties without instructions can also be used to ensure a positive assessment, with one test including extremely positive fake reviews which influenced the summary returned by ChatGPT."

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/LFyas47
via IFTTT

Critical Deadline: Update Old .NET Domains Before January 7, 2025 to Avoid Service Disruption

Jan 03, 2025Ravie LakshmananDevOps / Software Development

Microsoft has announced that it's making an "unexpected change" to the way .NET installers and archives are distributed, requiring developers to update their production and DevOps infrastructure.

"We expect that most users will not be directly affected, however, it is critical that you validate if you are affected and to watch for downtime or other kinds of breakage," Richard Lander, a program manager on the .NET team, said in a statement last week.

The move is the result of the fact that some .NET binaries and installers are hosted on Azure Content Delivery Network (CDN) domains that end in .azureedge[.]net -- dotnetcli.azureedge.net and dotnetbuilds.azureedge.net -- which are hosted on Edgio.

Last month, web infrastructure and security company Akamai acquired select assets from Edgio following its bankruptcy. As part of this transition, the Edgio platform is scheduled to end service on January 15, 2025.

Given that the .azureedge[.]net domains could cease to become unavailable in the future, Microsoft said it's migrating to Azure Front Door CDNs. The Windows maker said it will automatically migrate customers' workloads by January 7, 2025, if no action is taken.

However, it's worth noting that automatic migration will not be possible for endpoints with *.vo.msecnd.net domains. Users who plan to migrate to Akamai or another CDN provider are also required to set the Feature Flag DoNotForceMigrateEdgioCDNProfiles before January 7, 2025, so as to prevent automatic migration to Azure Front Door.

"Note you will have until January 14, 2025 to complete your migration to another CDN, but again Microsoft cannot guarantee your services will be available on the Edgio platform before this date," Microsoft said.

"Please be advised we will need to halt all configuration changes to Azure CDN by Edgio profiles starting on January 3, 2025. This means you will not be able to update your CDN profile configuration, but your services on Azure CDN from Edgio will still operate until you are migrated or the Edgio platform is shut down on January 15, 2025. If you apply the DoNotForceMigrateEdgioCDNProfiles feature flag before January 3, your configuration will not be frozen for changes."

While relying on *.azureedge[.]net and *.azurefd[.]net isn't recommended due to availability risks, users have the temporary option of migrating to Azure Front Door while retaining the domains.

"To ensure greater flexibility and avoid a single point of failure, it's advisable to adopt a custom domain as soon as possible," Microsoft warns.

Furthermore, to avoid security concerns with a bad actor acquiring the azureedge[.]net domain for malware distribution or poisoning the software supply chain, the tech giant said it has taken control of it. But as for why the old domain names could not be used to resolve to the new servers, it's being said that "this option wasn't being made available."

Users are recommended to scan their codebases for references to azureedge[.]net and update them to the following -

• Update dotnetcli.azureedge.net to builds.dotnet.microsoft.com
• Update dotnetcli.blob.core.windows.net to builds.dotnet.microsoft.com

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/MGtUQqc
via IFTTT

Apple to Pay Siri Users $20 Per Device in Settlement Over Accidental Siri Privacy Violations

Jan 03, 2025Ravie LakshmananTechnology / Data Privacy

Apple has agreed to pay $95 million to settle a proposed class action lawsuit that accused the iPhone maker of invading users' privacy using its voice-activated Siri assistant.

The development was first reported by Reuters.

The settlement applies to U.S.-based individuals current or former owners or purchasers of a Siri-enabled device who had their confidential voice communications with the assistant "obtained by Apple and/or were shared with third-parties as a result of an

unintended Siri activation" between September 17, 2014, and December 31, 2024.

Eligible individuals can submit claims for up to five Siri devices – iPhone, iPad, Apple Watch, MacBook, iMac, HomePod, iPod touch, or Apple TV – on which they claim to have experienced an accidental Siri activation during a conversation intended to be confidential or private. Class members who submit valid claims can receive $20 per device.

The lawsuit was brought against Apple following a 2019 report from The Guardian that disclosed that third-party contractors were listening in on private conversations of its users issuing voice commands to Siri as part of its efforts to improve the quality of its product.

An amended complaint filed in September 2021 alleged that the private conversations recorded by Apple because of accidental activations were also disclosed to third-party advertisers.

Cupertino has disputed the claims, arguing that "there are no facts, much less plausible facts, that tie Plaintiffs' receipt of targeted ads to their speculation that Siri must have been listening to their conversations, and Apple must have used Siri to facilitate targeted ads by third parties."

Following the revelations, Apple apologized for not "fully living up to our high ideals" and subsequently introduced an opt-in to help Siri improve by learning from the audio samples of their requests. It also said it will remove any recording that's determined to be an inadvertent trigger of Siri.

It has since rolled out new settings across its software portfolio to allow users to disable the collection of analytics information for improving Siri and dictation, as well as delete all history. Apple has denied any wrongdoing in the settlement filing.

Google, which has also faced accusations with its voice assistant back in 2019, is battling a similar lawsuit in the U.S, District Court.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://ift.tt/4AeOngU
via IFTTT

VMware Backup: Comprehensive Guide and Methods

VMware backup refers to the process of copying data from virtual machines (VMs) within a VMware environment to ensure its safety and recoverability. This is a critical task for backup and storage administrators, as protecting virtual server data comes with its unique set of challenges. Whether it’s safeguarding against accidental deletion, corruption, or system failure, VMware backup forms the backbone of a resilient VMware infrastructure.

This guide provides an in-depth look at VMware backup, exploring its importance, best practices, and methods to ensure data safety and business continuity.

What is VMware Backup?

VMware backup is the process of creating copies of virtual machines (VMs) running on VMware platform, namely VMware vSphere, to ensure data is protected and recoverable. By backing up VMware environments, organizations can safeguard against data loss, ensure business continuity, and meet regulatory compliance requirements. VMware backup solutions include various methods and tools tailored to the specific needs of virtualized systems.

Why is VMware Backup Important?

If you rely on virtualized infrastructure, backup isn’t optional — it’s critical. Here’s why:

• Data Protection
  Backups protect your files and applications from being lost or corrupted.
• Business Continuity
  Backups ensure you can get back up and running quickly after unexpected disruptions.
• Risk Mitigation
  Regular backups minimize the impact of ransomware, hardware failure, or human error.
• Regulatory Compliance
  For organizations in regulated industries, backups help meet data protection standards and ensure compliance with legal and industry regulations regarding data retention and recovery.

VMware Backup Methods

There are several VMware backup methods available. Understanding these options will help you choose the best strategy to protect your VMware infrastructure.

File-Level Backup

File-level backup focuses on protecting specific files and directories within the guest operating system. This typically requires an agent installed in the VM to interact with the OS and select data for backup. While useful for granular control, this approach may increase complexity and resource usage. File-level backups aren’t inherently application-consistent, but using tools like VSS (Volume Shadow Copy Service) or backup agents configured for application-aware processing can achieve this.

Image-Level Backup

Image-level backup captures an entire VM, including its disks and configuration, at the block level using VMware’s vStorage APIs. This agentless approach simplifies management, minimizes impact on VMs, and is highly efficient for large-scale environments. To ensure application consistency, additional steps like VMware Tools integration or quiescing mechanisms are required, as the method doesn’t automatically guarantee it.

Storage-Level Backup

Storage-Level Backup refers to backup methods that operate at the storage infrastructure layer rather than directly within the VMware environment. These methods typically leverage the capabilities of the storage array hosting the VMware datastores, bypassing VMware’s APIs and VMs entirely.

VMware Backup Best Practices

The key to successful backups lies in the details. Here’s how to do it right:

• Use Application-Consistent Backups
  Application-consistent backups (or ‘application-aware backups’) can capture app’s data both in memory and in pending I/O operations. This is achieved using VMware APIs and features like VSS (Volume Shadow Copy Service) to ensure database or application backups aren’t just files — they’re usable and consistent.
• Don’t Use Snapshots as Backups
  Snapshots are great for temporary checkpoints during updates, but they’re not a long-term backup solution. Period.
• Resource Planning Matters
  Ensure your network, storage, and processing capabilities can handle backup tasks without slowing down your environment. Additionally, most backup software products allow to detect bottlenecks within the backup infrastructure.

A good backup strategy is like a well-oiled machine — everything needs to work in sync.

What StarWind Has to Offer?

When it comes to VMware backup, StarWind offers flexible solutions to meet your needs — whether you’re starting fresh or re-using existing hardware.

StarWind Backup Appliance is a ransomware-proof backup target. It keeps your data safe with immutability, delivers lightning-fast backup and restore performance with all-NVMe storage, and saves costs through deduplication and automatic offloading of cold backups to the cloud. It’s the Swiss Army Knife® of data protection — handling backups, cutting costs, and integrating with Veeam right out of the box.

StarWind Virtual Backup Appliance lets you repurpose existing hardware into a powerful backup infrastructure. It offers the same software stack as the physical appliance, with features like immutability, deduplication, public cloud offloading, and AI-powered issue resolution. Perfect for breathing new life into old production clusters.

Wrapping it Up

VMware backup isn’t just a checkbox — it’s an essential part of your IT strategy. By understanding the right methods, steering clear of shortcuts (looking at you, snapshots), and leveraging tools like StarWind Backup Appliance, you can ensure your critical data is protected and your operations are resilient.

Backup doesn’t have to be overcomplicated, but it does have to be done right. Think ahead, invest wisely, and rest easy knowing your virtual machines are safe.

from StarWind Blog https://bit.ly/4fXWjFf
via IFTTT

Why Secure Development Environments Are Essential for Modern Software Teams

“You don’t want to think about security — until you have to.”

That’s what I’d tell you if I were being honest about the state of development at most organizations I have spoken to. Every business out there is chasing one thing: speed. Move faster. Innovate faster. Ship faster. To them, speed is survival. There’s something these companies are not seeing — a shadow. An unseen risk hiding behind every shortcut, every unchecked tool, and every corner cut in the name of “progress.”

Businesses are caught in a relentless sprint, chasing speed and progress at all costs. However, as Cal Newport reminds us in Slow Productivity, the race to do more — faster — often leads to chaos, inefficiency, and burnout. Newport’s philosophy calls for deliberate, focused work on fewer tasks with greater impact. This philosophy isn’t just about how individuals work — it’s about how businesses innovate. Development teams rushing to ship software often cut corners, creating vulnerabilities that ripple through the entire supply chain. 

The strategic risk: An unsecured development pipeline

Development environments are the foundation of your business. You may think they’re inherently secure because they’re internal. Foundations crumble when you don’t take care of them, and that crack doesn’t just swallow your software — it swallows established customer trust and reputation. That’s how it starts: a rogue tool here, an unpatched dependency there, a developer bypassing IT to do things “their way.” They’re not trying to ruin your business. They’re trying to get their jobs done. But sometimes you can’t stop a fire after it’s started. Shadow IT isn’t just inconvenient — it’s dangerous. It’s invisible, unmonitored, and unregulated. It’s the guy leaving the back door open in a neighborhood full of burglars.

You need control, isolation, and automation — not because they’re nice to have, but because you’re standing on a fault line without them. Docker gives you that control. Fine-grained, role-based access ensures that the only people touching your most critical resources are the ones you trust. Isolation through containerization keeps every piece of your pipeline sealed tight so vulnerabilities don’t spread. Automation takes care of the updates, the patch management, and the vulnerabilities before they become a problem. In other words, you don’t have to hope your foundation is solid — you’ll know it is.

Shadow IT: A growing concern

While securing official development environments is critical, shadow IT remains an insidious and hidden threat. Shadow IT refers to tools, systems, or environments implemented without explicit IT approval or oversight. In the pursuit of speed, developers may bypass formal processes to adopt tools they find convenient. However, this creates unseen vulnerabilities with far-reaching consequences.

In the pursuit of performative busywork, developers often take shortcuts, grabbing tools and spinning up environments outside the watchful eyes of IT. The intent may not be malicious; it’s just human nature. Here’s the catch: What you don’t see, you can’t protect. Shadow IT is like a crack in the dam: silent, invisible, and spreading. It lets unvetted tools and insecure code slip into your supply chain, infecting everything from development to production. Before you know it, that “quick fix” has turned into a legal nightmare, a compliance disaster, and a stain on your reputation. In industries like finance or healthcare, that stain doesn’t wash out quickly. 

A solution rooted in integration

The solution lies in a unified, secure approach to development environments that removes the need for shadow IT while fortifying the software supply chain. Docker addresses these vulnerabilities by embedding security directly into the development lifecycle. Our solution is built on three foundational principles: control, isolation, and automation.

1. Control through role-based access management: Docker Hub establishes clear boundaries within development environments by enabling fine-grained, role-based access. You want to ensure that only authorized personnel can interact with sensitive resources, which will ideally minimize the risk of unintended or malicious actions. Docker also enables publishers to enforce role-based access controls, ensuring only authorized users can interact with development resources. It streamlines patch management through verified, up-to-date images. Docker Official Images and Docker Verified Publisher content are scanned with our in-house image analysis tool, Docker Scout. This helps find vulnerabilities before they can be exploited.
2. Isolation through containerization: Docker’s value proposition centers on its containerization technology. By creating isolated development spaces, Docker prevents cross-environment contamination and ensures that applications and their dependencies remain secure throughout the development lifecycle.
3. Automation for seamless security: Recognizing the need for speed in modern development cycles, Docker integrates recommendations with Scout through recommendations for software updates and patch management for CVEs. This ensures that environments remain secure against emerging threats without interrupting the flow of innovation.

Delivering tangible business outcomes

Businesses are always going to face this tension between speed and security, but the truth is you don’t have to choose. Docker gives you both. It’s not just a platform; it’s peace of mind. Because when your foundation is solid, you stop worrying about what could go wrong. You focus on what comes next.

Consider the example of a development team working on a high-stakes application feature. Without secure environments, a single oversight — such as an unregulated access point — can result in vulnerabilities that disrupt production and erode customer trust. By leveraging Docker’s integrated security solutions, the team mitigates these risks, enabling them to focus on value creation rather than crisis management.

Aligning innovation with security

As a previous post covers, securing the development pipeline is not simply deploying technical solutions but establishing trust across the entire software supply chain. With Docker Content Trust and image signing, organizations can ensure the integrity of software components at every stage, reducing the risk of third-party code introducing unseen vulnerabilities. By eliminating the chaos of shadow IT and creating a transparent, secure development process, businesses can mitigate risk without slowing the pace of innovation.

The tension between speed and security has long been a barrier to progress, but businesses can confidently pursue both with Docker. A secure development environment doesn’t just protect against breaches — it strengthens operational resilience, ensures regulatory compliance, and safeguards brand reputation. Docker empowers organizations to innovate on a solid foundation as unseen risks lurk within an organization’s fragmented tools and processes. 

Security isn’t a luxury. It’s the cost of doing business. If you care about growth, if you care about trust, if you care about what your brand stands for, then securing your development environments isn’t optional — it’s survival. Docker Business doesn’t just protect your pipeline; it turns it into a strategic advantage that lets you innovate boldly while keeping your foundation unshakable. Integrity isn’t something you hope for — it’s something you build.

Start today

Securing your software supply chain is a critical step in building resilience and driving sustained innovation. Docker offers the tools to create fortified development environments where your teams can operate at their best.

The question is not whether to secure your development pipeline — it’s how soon you can start. Explore Docker Hub and Scout today to transform your approach to innovation and security. In doing so, you position your organization to navigate the complexities of the modern development landscape with confidence and agility.

Learn more

• Subscribe to the Docker Newsletter. 
• Visit Docker’s trusted content page.
• Get the latest release of Docker Desktop.
• Have questions? The Docker community is here to help.
• New to Docker? Get started.

from Docker https://bit.ly/402ZGo8
via IFTTT

Severe Security Flaws Patched in Microsoft Dynamics 365 and Power Apps Web API

Jan 02, 2025Ravie LakshmananVulnerability / Data Protection

Details have emerged about three now-patched security vulnerabilities in Dynamics 365 and Power Apps Web API that could result in data exposure.

The flaws, discovered by Melbourne-based cybersecurity company Stratus Security, have been addressed as of May 2024. Two of the three shortcomings reside in Power Platform's OData Web API Filter, while the third vulnerability is rooted in the FetchXML API.

The root cause of the first vulnerability is the lack of access control on the OData Web API Filter, thereby allowing access to the contacts table that holds sensitive information such as full names, phone numbers, addresses, financial data, and password hashes.

A threat actor could then weaponize the flaw to perform a boolean-based search to extract the complete hash by guessing each character of the hash sequentially until the correct value is identified.

"For example, we start by sending startswith(adx_identity_passwordhash, 'a') then startswith(adx_identity_passwordhash , 'aa') then startswith(adx_identity_passwordhash , 'ab') and so on until it returns results that start with ab," Stratus Security said.

"We continue this process until the query returns results that start with 'ab'. Eventually, when no further characters return a valid result, we know we have obtained the complete value."

The second vulnerability, on the other hand, lies in using the orderby clause in the same API to obtain the data from the necessary database table column (e.g., EMailAddress1, which refers to the primary email address for the contact).

Lastly, Stratus Security also found that the FetchXML API could be exploited in conjunction with the contacts table to access restricted columns using an orderby query.

"When utilizing the FetchXML API, an attacker can craft an orderby query on any column, completely bypassing the existing access controls," it said. "Unlike the previous vulnerabilities, this method does not necessitate the orderby to be in descending order, adding a layer of flexibility to the attack."

An attacker weaponizing these flaws could, therefore, compile a list of password hashes and emails, then crack the passwords or sell the data.

"The discovery of vulnerabilities in the Dynamics 365 and Power Apps API underscores a critical reminder: cybersecurity requires constant vigilance, especially for large companies that hold so much data like Microsoft," Stratus Security said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://bit.ly/41YOuvj
via IFTTT

Cross-Domain Attacks: A Growing Threat to Modern Security and How to Combat Them

Jan 02, 2025The Hacker NewsCloud Security / Threat Intelligence

In the past year, cross-domain attacks have gained prominence as an emerging tactic among adversaries. These operations exploit weak points across multiple domains – including endpoints, identity systems and cloud environments – so the adversary can infiltrate organizations, move laterally and evade detection. eCrime groups like SCATTERED SPIDER and North Korea-nexus adversaries such as FAMOUS CHOLLIMA exemplify the use of cross-domain tactics, leveraging advanced techniques to exploit security gaps across interconnected environments.

The foundation of these attacks is built around the exploitation of legitimate identities. Today's adversaries no longer "break in"; they "log in" – leveraging compromised credentials to gain access and blend seamlessly into their targets. Once inside, they exploit legitimate tools and processes, making them difficult to detect as they pivot across domains and escalate privileges.

The Current State of Identity Security

The rise in cross-domain and identity-based attacks exposes a critical vulnerability in organizations that treat identity security as an afterthought or compliance checkbox rather than an integral component of their security architecture. Many businesses rely on disjointed tools that address only fragments of the identity problem, resulting in visibility gaps and operational inefficiencies. This patchwork approach fails to provide a cohesive view or secure the broader identity landscape effectively.

This approach creates gaps in security tools, but also can create a dangerous disconnect between security teams. For example, the divide between teams managing identity and access management (IAM) tools and those running security operations creates dangerous visibility gaps and exposes weaknesses in security architecture across on-premises and cloud environments. Adversaries exploit these gaps to perpetrate their attacks. Organizations need a more comprehensive approach to defend against these sophisticated attacks.

Transforming Identity Security: Three Essential Steps

To protect against cross-domain attacks, organizations just move beyond patchwork solutions and adopt a unified, comprehensive strategy that prioritizes identity security:

1. Identity at the Core: Laying the Foundation

Modern security begins with consolidating threat detection and response across identity, endpoint and cloud within a unified platform. By placing identity at the core, this approach eliminates the inefficiencies of fragmented tools and creates a cohesive foundation for comprehensive defense. A unified platform accelerates response time and simplifies security operations. It also reduces cost by improving collaboration across teams and replacing disconnected point solutions with a streamlined architecture that secures identity against cross-domain threats.

2. Identity Visibility: Seeing the Whole Picture

Robust identity protection requires end-to-end visibility across hybrid environments spanning on-premises, cloud and SaaS applications. Unifying security tools eliminates blind spots and gaps that adversaries like to exploit. Seamless integration with on-premises directories, cloud identity providers like Entra ID and Okta, and SaaS applications ensures a complete view of all access points. This full-spectrum visibility transforms identity systems into fortified perimeters, significantly reducing adversaries' ability to infiltrate.

3. Real-Time Identity Protection

With identity as a focal point of unification and visibility, organizations can pivot to real-time detection and response. A cloud-native platform, like the AI-native CrowdStrike Falcon® cybersecurity platform, uses cross-domain telemetry to secure identity, endpoints and cloud environments by identifying, investigating and neutralizing threats. Features like risk-based conditional access and behavioral analysis proactively protect identity systems, blocking attacks before they escalate. This unified approach ensures faster responses than fragmented systems and a decisive edge against modern adversaries.

Putting Identity into Practice: CrowdStrike Falcon Identity Protection

When it comes to comprehensive protection against cross-domain attacks, CrowdStrike sets the industry standard with the Falcon platform. It uniquely combines identity, endpoint and cloud security with world-class threat intelligence on adversary tradecraft and real-time threat hunting for a holistic defense against identity-based attacks. CrowdStrike's approach relies on:

• Unification: The Falcon platform enables security teams to oversee all layers of security – identity threat detection and response (ITDR), endpoint security, cloud security, and next-gen security information and event management (SIEM) – all through a single agent and console on one unified platform. With the Falcon platform, CrowdStrike customers on average realize up to 84% improvement in operational efficiency in responding to cross-domain threats.
• 24/7 Visibility with Managed ITDR: Many organizations facing resource constraints turn to managed service providers to handle security operations. CrowdStrike provides the best of both worlds – pairing top-tier ITDR capabilities with industry-leading expert management – to implement a robust and mature identity security program without the work, cost and time required to develop one internally.
• Real-Time Protection: With CrowdStrike Falcon® Identity Protection, organizations can detect and stop identity-driven breaches in real-time across entire hybrid identity landscapes. CrowdStrike's industry-leading team of elite threat hunters monitor 24/7 for suspicious activity across customers' environments and proactively scour the dark web for stolen credentials. CrowdStrike customers on average get up to 85% faster threat responses driven by full attack path visibility.

The Future of Identity Security

As adversaries exploit the seams between identity, endpoint and cloud environments, the need for a unified security approach has never been greater. The CrowdStrike Falcon platform delivers the integration, visibility and real-time response capabilities necessary to combat cross-domain threats head-on. By combining cutting-edge technology with world-class threat intelligence and expert management, CrowdStrike enables organizations to fortify their defenses and stay ahead of evolving attack tactics.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.

from The Hacker News https://bit.ly/40eV1Rk
via IFTTT