Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile.

**SQL injection in funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

GHSA-6j8f-88mh-r9vq: SQL injection in funadmin

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist.

GHSA-x2fr-vj74-5h35: SQL injection in funadmin

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/list.

GHSA-h4px-9vmp-p7pv: SQL injection in funadmin

Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield.

GHSA-9gw3-qr2f-3vg5: SQL injection in funadmin

Funadmin v5.0.2 has an arbitrary file deletion vulnerability in /curd/index/delfile.

GHSA-vw6x-c5rg-jmjp: SQL injection in funadmin

Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit.

GHSA-5g66-93qv-565j: SQL injection in funadmin

Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service (DOS).

**Logic flaw in Funadmin**

High severity GitHub Reviewed Published Oct 25, 2024 to the GitHub Advisory Database • Updated Oct 25, 2024

GHSA-r9v5-q97m-rj5g: Logic flaw in Funadmin

The networking company found liable for illegally gathering user data for targeted advertising by the Irish Data Protection Commission.

Source: Iain Masterton via Alamy Stock Photo

LinkedIn earned itself a €310 million ($335 million) fine by European Union regulators on Oct. 24 for its violations of the General Data Protection Regulation (GDPR) data privacy rules.

Ireland's Data Protection Commission (DPC) cited concerns regarding the lawfulness, fairness, and transparency of personal data processing for the professional networking site's advertising purposes.

As LinkedIn's lead privacy regulator, the DPC reported that it carried out an investigation and found that LinkedIn did not have lawful basis to be compiling data to target its users with ads, ultimately breaching GDPR. This investigation was launched following a complaint initially made by the French Data Protection Authority.

"The inquiry examined LinkedIn's processing of personal data for the purposes of behavioural analysis and targeted advertising of users who have created LinkedIn profiles (members)," according to a DPC press release. "The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million."

LinkedIn asserts that it believes it has been in compliance with the rules but acknowledges that it will work to ensure its ad practices meet the requirements.

**About the Author**

LinkedIn Hit With $335M Fine for Data Privacy Violations

Kremlin intelligence carried out a wide-scale phishing campaign in contrast to its usual, more targeted operations.

Source: Design Pics Inc via Alamy Stock Photo

Russia's premiere advanced persistent threat group has been phishing thousands of targets in militaries, public authorities, and enterprises.

APT29 (aka Midnight Blizzard, Nobelium, Cozy Bear) is arguably the world's most notorious threat actor. An arm of the Russian Federation's Foreign Intelligence Service (SVR), it's best known for the historic breaches of SolarWinds and the Democratic National Committee (DNC). Lately, it has breached Microsoft's codebase and political targets across Europe, Africa, and beyond.

"APT29 embodies the 'persistent' part of 'advanced persistent threat,'" says Satnam Narang, senior staff research engineer at Tenable. "It has persistently targeted organizations in the United States and Europe for years, utilizing various techniques, including spear-phishing and exploitation of vulnerabilities to gain initial access and elevate privileges. Its modus operandi is the collection of foreign intelligence, as well as maintaining persistence in compromised organizations in order to conduct future operations."

Along these same lines, the Computer Emergency Response Team of Ukraine (CERT-UA) recently discovered APT29 phishing Windows credentials from government, military, and private sector targets in Ukraine. And after comparing notes with authorities in other countries, CERT-UA found that the campaign was actually spread across "a wide geography."

That APT29 would go after sensitive credentials from geopolitically prominent and diverse organizations is no surprise, Narang notes, though he adds that "the one thing that does kind of stray from the path would be its broad targeting, versus \[its typical more\] narrowly focused attacks."

**AWS and Microsoft**

The campaign, which dates back to August, was carried out using malicious domain names designed to seem like they were associated with Amazon Web Services (AWS). The emails sent from these domains pretended to advise recipients on how to integrate AWS with Microsoft services, and how to implement zero trust architecture.

Despite the masquerade, AWS itself reported that the attackers weren't after Amazon, or its customers' AWS credentials.

What APT29 really wanted was revealed in the attachments to those emails: configuration files for Remote Desktop, Microsoft's application for implementing the Remote Desktop Protocol (RDP). RDP is a popular tool that legitimate users and hackers alike use to operate computers remotely.

"Normally, attackers will try to brute force their way into your system or exploit vulnerabilities, then have RDP configured. In this case, they're basically saying: 'We want to establish that connection \[upfront\],'" Narang says.

Launching one of these malicious attachments would have immediately triggered an outgoing RDP connection to an APT29 server. But that wasn't all: The files also contained a number of other malicious parameters, such that when a connection was made, the attacker was given access to the target computer's storage, clipboard, audio devices, network resources, printers, communication (COM) ports, and more, with the added ability to run custom malicious scripts.

**Block RDP**

APT29 may not have used any legitimate AWS domains, but Amazon still managed to interrupt the campaign by seizing the group's malicious copycats.

For potential victims, CERT-UA recommends strict precautions: not just monitoring network logs for connections to IP addresses tied to APT29 but also analyzing all outgoing connections to all IP addresses on the wider Web through the end of the month.

And for organizations at risk in the future, Narang offers simpler advice. "First and foremost, don't allow RDP files to be received. You can block them at your email gateway. That's going to kneecap this whole thing," he says.

AWS declined to provide further comment for this story. Dark Reading has also reached out to Microsoft for its perspective.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Russia's APT29 Mimics AWS Domains to Steal Windows Credentials

Four companies — Avaya, Check Point, Mimecast, and Unisys — have been charged by the SEC for misleading disclosures in the aftermath of the 2020 SolarWinds compromise.

Source: Ascannio via Alamy Stock Photo

The initial attack might be years old, but regulators at the Securities and Exchange Commission (SEC) are still sifting through the details of the 2020 SolarWinds breach. This week, the SEC announced it has charged four companies for what the agency determined was an intentional effort to minimize the impact of the hack to their systems.

Unisys was dealt the largest civil penalty — $4 million — for its disclosure practices, as well as for controls violations.

"The SEC's order against Unisys finds that the company described its risks from cybersecurity events as hypothetical despite knowing that it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data," the SEC announcement of the fines read. "The order also finds that these materially misleading disclosures resulted in part from Unisys’ deficient disclosure controls."

Unisys has not responded to Dark Reading's request for comment.

Avaya Holdings Corp. agreed to pay $1 million for its statements that admitted a threat actor has accessed what the company characterized at the time as a "limited number" of company email messages, but failed to mention the company was also aware that 145 files in its cloud environment were also compromised, according to the SEC.

Avaya, similarly to the other fined companies, said in its statement the company is glad to put this issue to rest.

"We are pleased to have resolved with the SEC this disclosure matter related to historical cybersecurity issues dating back to late 2020, and that the agency recognized Avaya’s voluntary cooperation and that we took certain steps to enhance the company’s cybersecurity controls," according to a statement from Avaya provided to Dark Reading. "Avaya continues to focus on strengthening its cybersecurity program, both in designing and providing our products and services to our valued customers, as well as in our internal operations."

Check Point was intentionally vague in its disclosures, according to the SEC, which fined the software company $995,000. Check Point's statement maintains the company acted earnestly but is glad to move on.

"The SEC's announcement concerns the same issue that we discussed in a 6-K from December 2023, regarding our settlement discussions on the 2020 SolarWinds Orion cyber vulnerability and the question of whether this should have been reported in Check Point's 2021 20-F Annual Report filing," the Check Point statement read. "As mentioned in the SEC's order, Check Point investigated the SolarWinds incident and did not find evidence that any customer data, code, or other sensitive information was accessed. Nevertheless, Check Point decided that cooperating and settling the dispute with the SEC was in its best interest and allows the company to maintain its focus on helping its customers defend against cyberattacks throughout the world."

The SEC dealt the lightest penalty to Mimecast, which will pay $990,000, for "failing to disclose the nature of the code the threat actor exfiltrated and the quantity of encrypted credentials the threat actor accessed," the SEC said.

Mimecast said in a statement that the company acted transparently, adding that it is no longer a publicly traded company under SEC jurisdiction, but nonetheless will continue to comply with the SEC enforcement.

"In responding to the incident in 2021, Mimecast made extensive disclosures and engaged with our customers and partners proactively and transparently, even those who were not affected," the Mimecast statement read. "We believed that we complied with our disclosure obligations based on the regulatory requirements at that time. As we responded to the incident, Mimecast took the opportunity to enhance our resilience. While Mimecast is no longer a publicly traded company, we have cooperated fully and extensively with the SEC. We resolved this matter to put it behind us and continue to maintain our strong focus on serving our customers."

**SEC Trying to Deter Vague Data Breach Disclosures**

The intention of the charges and subsequent fines is to deter other companies from taking the same "half-truth" communications approach following a breach, the SEC explained.

"Downplaying the extent of a material cybersecurity breach is a bad strategy," Jorge G. Tenreiro, acting chief of the Crypto Assets and Cyber Unit said in a statement. "In two of these cases, the relevant cybersecurity risk factors were framed hypothetically or generically when the companies knew the warned of risks had already materialized."

The lesson companies should take from this SEC enforcement action is that regulators are looking for technically precise disclosures, according to cybersecurity attorney Beth Burgin Waller.

"Companies can no longer rely on generalizations or hypotheticals," she adds. "The challenge for many companies will be thinking of post-ligation risk from all angles including later data breach class actions or customer lawsuits."

This new enterprise cybersecurity terrain will require chief information security officers to work more closely legal teams, Burgin Waller says.

"The SEC is creating tension for many companies post-incident by forcing disclosure of details very early on in an incident investigation that will be cited back to the business in future litigation," she adds. "CISOs need to be prepared to work closely with in-house and outside counsel on SEC cyber-incident materiality determinations, especially in light of the technical precision required of companies in these enforcement announcements."

Latest News