khugepaged in Linux races with rmap-based zap, races with GUP-fast, and fails to call MMU notifiers.

Linux khugepaged Race Conditions

Red Hat Security Advisory 2024-8425-03 - Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8425.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Important: OpenShift Container Platform 4.15.37 bug fix and security update  
Advisory ID:        RHSA-2024:8425-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:8425  
Issue date:         2024-11-04  
Revision:           03  
CVE Names:          CVE-2023-45288  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.15.37 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.15.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.15.37. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHSA-2024:8428

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.15/release_notes/ocp-4-15-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* golang: net/http, x/net/http2: unlimited number of CONTINUATION frames  
causes DoS (CVE-2023-45288)  
* encoding/gob: golang: Calling Decoder.Decode on a message which contains  
deeply nested structures can cause a panic due to stack exhaustion  
(CVE-2024-34156)  
* containers/image: digest type does not guarantee valid type  
(CVE-2024-3727)  
* net/http: Denial of service due to improper 100-continue handling in  
net/http (CVE-2024-24791)  
* cloudevents/sdk-go: usage of WithRoundTripper to create a Client leaks  
credentials (CVE-2024-28110)  
* jose-go: improper handling of highly compressed data (CVE-2024-28180)  
* go/parser: golang: Calling any of the Parse functions containing deeply  
nested literals can cause a panic/stack exhaustion (CVE-2024-34155)  
* go/build/constraint: golang: Calling Parse on a \"// +build\" build tag  
line with deeply nested expressions can cause a panic due to stack  
exhaustion (CVE-2024-34158)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.15 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.15/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2023-45288

References:

https://access.redhat.com/security/updates/classification/#important  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2268273  
https://bugzilla.redhat.com/show_bug.cgi?id=2268372  
https://bugzilla.redhat.com/show_bug.cgi?id=2268854  
https://bugzilla.redhat.com/show_bug.cgi?id=2274767  
https://bugzilla.redhat.com/show_bug.cgi?id=2295310  
https://bugzilla.redhat.com/show_bug.cgi?id=2310527  
https://bugzilla.redhat.com/show_bug.cgi?id=2310528  
https://bugzilla.redhat.com/show_bug.cgi?id=2310529  
https://issues.redhat.com/browse/OCPBUGS-19254  
https://issues.redhat.com/browse/OCPBUGS-37704  
https://issues.redhat.com/browse/OCPBUGS-39018  
https://issues.redhat.com/browse/OCPBUGS-41838  
https://issues.redhat.com/browse/OCPBUGS-42335  
https://issues.redhat.com/browse/OCPBUGS-42470  
https://issues.redhat.com/browse/OCPBUGS-42471  
https://issues.redhat.com/browse/OCPBUGS-42480  
https://issues.redhat.com/browse/OCPBUGS-42611  
https://issues.redhat.com/browse/OCPBUGS-42648  
https://issues.redhat.com/browse/OCPBUGS-42726  
https://issues.redhat.com/browse/OCPBUGS-42780  
https://issues.redhat.com/browse/OCPBUGS-42881  
https://issues.redhat.com/browse/OCPBUGS-42934  
https://issues.redhat.com/browse/OCPBUGS-42992  
https://issues.redhat.com/browse/OCPBUGS-43057  
https://issues.redhat.com/browse/OCPBUGS-43468  
https://issues.redhat.com/browse/OCPBUGS-43626  
https://issues.redhat.com/browse/OCPBUGS-43635

Red Hat Security Advisory 2024-8425-03

Red Hat Security Advisory 2024-8318-03 - Logging for Red Hat OpenShift - 5.6.25.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8318.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: Logging for Red Hat OpenShift - 5.6.25Advisory ID:        RHSA-2024:8318-03Product:            logging for Red Hat OpenShiftAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8318Issue date:         2024-11-04Revision:           03CVE Names:          CVE-2024-24791====================================================================Summary: Logging for Red Hat OpenShift - 5.6.25Description:Logging for Red Hat OpenShift - 5.6.25Solution:https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.htmlhttps://docs.openshift.com/container-platform/4.11/logging/cluster-logging-upgrading.htmlCVEs:CVE-2024-24791References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-8318-03

Red Hat Security Advisory 2024-7323-03 - Logging for Red Hat OpenShift - 5.6.24.

The following advisory data is extracted from:

https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_7323.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Moderate: Logging for Red Hat OpenShift - 5.6.24  
Advisory ID:        RHSA-2024:7323-03  
Product:            logging for Red Hat OpenShift  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:7323  
Issue date:         2024-11-04  
Revision:           03  
CVE Names:          CVE-2024-6104  
====================================================================

Summary: 

Logging for Red Hat OpenShift - 5.6.24

Description:

Logging for Red Hat OpenShift - 5.6.24

Solution:

https://docs.openshift.com/container-platform/4.12/release_notes/ocp-4-12-release-notes.html

https://docs.openshift.com/container-platform/4.12/logging/cluster-logging-upgrading.html

CVEs:

CVE-2024-6104

References:

https://access.redhat.com/security/updates/classification/#moderate  
https://issues.redhat.com/browse/LOG-5950

Red Hat Security Advisory 2024-7323-03

A research tool by the company found a vulnerability in the SQLite open source database, demonstrating the "defensive potential" for using LLMs to find vulnerabilities in applications before they're publicly released.

Source: Krot Studio via Alamy Stock Photo

Google has discovered its first real-world vulnerability using an artificial intelligence (AI) agent that company researchers are designing expressly for this purpose. The discovery of a memory-safety flaw in a production version of a popular open source database by the company's Big Sleep large language model (LLM) project is the first of its kind, and it has "tremendous defensive potential" for organizations, the Big Sleep team wrote in a recent Project Zero blog.

Big Sleep — the work of a collaboration between the company's Project Zero and Deep Mind groups — discovered an exploitable stack buffer underflow in SQLite, a widely used open source database engine.

Specifically, Big Sleep discovered a pattern in the code of a publicly released version of SQLite that creates a potential edge case that needs to be handled by all code that uses the field, the researchers noted. A function in the code failed to correctly handle the edge case, "resulting in a write into a stack buffer with a negative index when handling a query with a constraint on the 'rowid' column," thus creating an exploitable flaw, according to the post.

Google reported the bug to SQLite developers in early October. They fixed it on the same day and before it appeared in an official release of the database, so users were not affected.

Related:News Desk 2024: Hacking Microsoft Copilot Is Scary Easy

**Inspired by AI Bug-Hunting Peers**

"We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team wrote in the post. While this may be true, it's not the first time an LLM-based reasoning system autonomously found a flaw in the SQLite database engine, Google acknowledged.

An LLM model called Atlantis from a group of AI experts called Team Atlanta discovered six zero-day flaws in SQLite3 and even autonomously identified and patched one of them during the AI Cyber Challenge organized by ARPA-H, DARPA, and the White House, the team revealed in a blog post in August.

In fact, the Big Sleep team used one of the Team Atlanta discoveries — of "a null-pointer dereference" flaw in SQLite —  to inspire them to use AI "to see if we could find a more serious vulnerability," according to the post.

**Software Review Goes Beyond Fuzzing**

Google and other software development teams already use a process called fuzz-testing, colloquially known as "fuzzing," to help find flaws in applications before release. Fuzzing is an approach that targets the software with deliberately malformed data — or inputs — to see if it will crash so they can investigate and fix the cause.

Related:Privacy Anxiety Pushes Microsoft Recall AI Release Again

In fact, Google earlier this year released an AI-boosted fuzzing framework as an open source resource to help developers and researchers improve how they find software vulnerabilities. The framework automates manual aspects of fuzz-testing and uses LLMs to write project-specific code to boost code coverage.

While fuzzing "has helped significantly" to reduce the number of flaws in production software, developers need a more powerful approach "to find the bugs that are difficult (or impossible) to find" in this way, such as variants for previously found and patched vulnerabilities, the Big Sleep team wrote.

"As this trend continues, it's clear that fuzzing is not succeeding at catching such variants, and that for attackers, manual variant analysis is a cost-effective approach," the team wrote in the post.

Moreover, variant analysis is a better fit for current LLMs because its provides them with a starting point —  such as the details of a previously fixed flaw — for a search, and thus removes a lot of ambiguity from AI-based vulnerability testing, according to Google. In fact, at this point in the evolution of LLMs, lack of this type of starting point for a search can cause confusion, they noted.

Related:OWASP Releases AI Security Guidance

"We're hopeful that AI can narrow this gap," the Big Sleep team wrote. "We think that this is a promising path towards finally turning the tables and achieving an asymmetric advantage for defenders."

**Glimpse Into the Future**

Google Big Sleep is still in its research phase, and using AI-based automation to identify software flaws overall is a new discipline. However, there already are tools available that developers can use to get a jump on finding vulnerabilities in software code before public release.

Late last month, researchers at Protect AI released Vulnhuntr, a free, open source static code analyzer tool that can find zero-day vulnerabilities in Python codebases using Anthropic's Claude artificial intelligence (AI) model.

Indeed, Google's discovery shows promising progress for the future of using AI to help developers troubleshoot software before letting flaws seep into production versions.

"Finding vulnerabilities in software before it's even released means that there's no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them," Google's Big Sleep team wrote.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Google: Big Sleep AI Agent Puts SQLite Software Bug to Bed

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal…

Hackers claim to have breached Nokia through a third-party contractor, allegedly stealing SSH keys, source code, and internal credentials. The data is being sold for $20,000 on BreachForums, though no customer data was affected. Nokia has not yet commented on the claim.

A notorious hacker known as Intel Broker has announced a data breach involving the telecommunications giant Nokia. Posting on the infamous cybercrime forum BreachForums, Intel Broker claims to have gained unauthorized access to sensitive Nokia information through a third-party contractor linked to Nokia’s internal tool development.

The hacker claims that no customer information was accessed, but they have obtained **critical internal data** from Nokia’s systems, which they’re now selling for $20,000.

**Details of the Breach**

According to Intel Broker’s post, the stolen data includes SSH keys, source code, RSA keys, Bitbucket logins, SMTP accounts, webhooks, and hardcoded credentials. All of these items could potentially enable further unauthorized access to internal systems or facilitate other types of cyber attacks. In an attempt to validate the breach, Intel Broker also shared a file tree, showcasing various files and folders apparently related to Nokia’s internal operations.

In an exclusive conversation with Hackread.com, Interl Broker said that the stolen data collection is up for sale for $20,000, and he is reaching out to prospective buyers on BreachForums. According to the post, only those with high-ranking status and sufficient reputation on the forum are being encouraged to inquire.

Intel Broker on Breach Forums (Screenshot: Hackread.com)

The hacker claims to have pulled this data from a contractor working closely with Nokia, rather than Nokia’s own systems directly. This method of breaching systems through third-party vendors has become **increasingly common**, as vendors are often granted extensive access to the companies they serve. Cybersecurity experts have long warned about this weak point, advising companies to ensure that security standards extend to their contractors and partners.

**Potential Impact**

While Intel Broker emphasizes that customer data is not included in the breach, the exposure of alleged Nokia’s internal data could still have widespread implications. With access to development environments, source code, and credentials, hackers could potentially tamper with Nokia’s tools or services, or exploit the vulnerabilities in these resources to compromise other systems.

Screenshot from the sample data that Hackread.com analysed

****Nokia’s Response****

At the time of reporting, there has been no official statement from Nokia on this alleged breach. However, Hackread.com has reached out to the company awaiting a response. Stay tuned.

****About Intel Broker****

Intel Broker who is also the owner of Breach Forums is known for high-profile data breaches. **In June 2024**, the hacker claimed to have breached Apple Inc., stealing source code for internal tools. The same hacker boasted about **breaching AMD** (Advanced Micro Devices, Inc.), and stealing employee and product information.

**In May 2024**, Intel Broker hacked Europol, a breach that the agency later confirmed. Some of the hacker’s previous data breaches are listed below:

*   **Tech in Asia**
*   **Space-Eyes**
*   **Home Depot**
*   **Facebook Marketplace**
*   **Staffing giant Robert Half**
*   **U.S. contractor Acuity Inc.**
*   **Los Angeles International Airport**
*   **Alleged breaches of HSBC and Barclays Bank**

Although the hacker’s origins and affiliates are unknown, according to the United States government, IntelBroker is alleged to be the perpetrator behind one of the **T-Mobile data breaches**.

1.  **Hacker Leaks Thousands of Nokia Employee Details**
2.  **Nokia Taiwan Hacked, 100,000+ accounts leaked online**
3.  **Cisco Network Breach as Employee’s Google Account was Hacked  
    **

Hackers Claim Access to Nokia Internal Data, Selling for $20,000

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

When you let go of that trapeze, you really want your teammates to be ready to catch you. Send us a cybersecurity-related caption to describe the above scene and our favorite will win its wordsmith a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the Nov. 27, 2024 deadline:

• Email \[email protected\] with the subject line "Edge November Toon."

• Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)

**Last Month's Winner**

Shout out — and a $25 Amazon gift card — to Joseph Ayella, a recurring winner, for sending us the winning caption for last month's "And For My Next Trick..." cartoon.

"I call this trick the woman-in-the-middle attack."

Some noteworthy contenders included: "All we could get was half a FTE for security assessments," "And with this SIEM solution, we could cut a half of our SOC analysts," and "I'm glad he's not the hacker." A big thank you to all who participated.

**About the Author**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Aerialist's Choice

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft.
"Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including

Vulnerability / Cyber Threat

Cybersecurity researchers have disclosed six security flaws in the Ollama artificial intelligence (AI) framework that could be exploited by a malicious actor to perform various actions, including denial-of-service, model poisoning, and model theft.

"Collectively, the vulnerabilities could allow an attacker to carry out a wide-range of malicious actions with a single HTTP request, including denial-of-service (DoS) attacks, model poisoning, model theft, and more," Oligo Security researcher Avi Lumelsky said in a report published last week.

Ollama is an open-source application that allows users to deploy and operate large language models (LLMs) locally on Windows, Linux, and macOS devices. Its project repository on GitHub has been forked 7,600 times to date.

A brief description of the six vulnerabilities is below -

*   **CVE-2024-39719** (CVSS score: 7.5) - A vulnerability that an attacker can exploit using /api/create an endpoint to determine the existence of a file in the server (Fixed in version 0.1.47)
*   **CVE-2024-39720** (CVSS score: 8.2) - An out-of-bounds read vulnerability that could cause the application to crash by means of the /api/create endpoint, resulting in a DoS condition (Fixed in version 0.1.46)
*   **CVE-2024-39721** (CVSS score: 7.5) - A vulnerability that causes resource exhaustion and ultimately a DoS when invoking the /api/create endpoint repeatedly when passing the file "/dev/random" as input (Fixed in version 0.1.34)
*   **CVE-2024-39722** (CVSS score: 7.5) - A path traversal vulnerability in the api/push endpoint that exposes the files existing on the server and the entire directory structure on which Ollama is deployed (Fixed in version 0.1.46)
*   A vulnerability that could lead to model poisoning via the /api/pull endpoint from an untrusted source (No CVE identifier, Unpatched)
*   A vulnerability that could lead to model theft via the /api/push endpoint to an untrusted target (No CVE identifier, Unpatched)

For both unresolved vulnerabilities, the maintainers of Ollama have recommended that users filter which endpoints are exposed to the internet by means of a proxy or a web application firewall.

"Meaning that, by default, not all endpoints should be exposed," Lumelsky said. "That's a dangerous assumption. Not everybody is aware of that, or filters http routing to Ollama. Currently, these endpoints are available through the default port of Ollama as part of every deployment, without any separation or documentation to back it up."

Oligo said it found 9,831 unique internet-facing instances that run Ollama, with a majority of them located in China, the U.S., Germany, South Korea, Taiwan, France, the U.K., India, Singapore, and Hong Kong. One out of four internet-facing servers has been deemed vulnerable to the identified flaws.

The development comes more than four months after cloud security firm Wiz disclosed a severe flaw impacting Ollama (CVE-2024-37032) that could have been exploited to achieve remote code execution.

"Exposing Ollama to the internet without authorization is the equivalent to exposing the docker socket to the public internet, because it can upload files and has model pull and push capabilities (that can be abused by attackers)," Lumelsky noted.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning

The true measure of our cybersecurity prowess lies in our capacity to endure.

Source: Lasse Kristensen via Alamy Stock Photo

COMMENTARY

In July, the industry witnessed one of the largest technology outages in recent history, with estimates of $5.4 billion in damages. When CrowdStrike distributed a Rapid Response Content Channel Update with an exception-handling logic flaw, it opened the door for constructive conversations about automatic updates — when to use them, when not to use them, whether they make us more or less secure. It's time to reflect and ask: What is the cost of our relentless pursuit of innovation, software currency, and speed to market? How can we reprioritize to reestablish the balance in the C-I-A triad?

IT and security teams are under enormous pressure to stay ahead of threats. However, teams must not sacrifice the right checks and balances for speed. The CrowdStrike incident serves as a reminder to the industry that even the most secure and trusted systems can fail, and it's time to revisit how teams test and deploy critical updates.  

**The C-I-A Triad: Rebalancing Priorities**

The C-I-A triad is a foundational pillar of cybersecurity, representing the Confidentiality (security), Integrity (accuracy), and Availability of technology platforms. For too long, the cybersecurity community — vendors and customers alike — have fixated on the C in this triad. However, the C-I-A triad is supposed to represent the full scope of a cybersecurity program. With the main focus on privacy and data security, the industry over emphasized security — and in doing so, added speed to the equation. Teams are now responding faster and deploying updates quicker to stay ahead of emerging threats and day-to-day attacks, but that's leading to mistakes and improper testing.  

Meanwhile, the I and A were relegated to secondary status — even outsourced to other technology teams. Integrity — the accuracy, completeness, and consistency of the ecosystem and underlying data — was compromised in the name of speed. Availability also suffered as the focus shifted to rapid recovery rather than ensuring uptime and reliability, all for the sake of rapid innovation and response to perceived threats.  

If the CrowdStrike event has taught us anything, it is that now is the time for both vendors and customers to recommit themselves to recognizing the integral importance of and essential need to rebalance all three pillars of the C-I-A triad. In doing so, teams can build more resilient systems.  

**The Shift From Software to Critical Infrastructure**

Leaders need to undertake three key shifts to achieve the essential checks and balance systems inherent to the C-I-A triad.  

1\. Transparency: Vendors must be more transparent with their product updates and give customers more control over how updates are applied. Customers should be able to manually update, deploy updates in stages, and remain on a prior stable version as a matter of policy.  

In the case of the CrowdStrike event, the complex update caused the outage. First, the team deployed a configuration file in February. Later, in July, it deployed a Rapid Response Content Update. As part of that update, a configuration content validator, using the prior configuration file, attempted to apply the update, but due to the "logic bug" in the exception handling routines, the staggered update resulted in the infamous "blue screen of death" for many Windows servers and workstations. These channel updates are often a series of staged updates, all occurring at once. How many of CrowdStrike's customers understood this nuance of the update strategy? It's unclear, but they had limited control over the update and were unable to stage it so it could be certified and tested before affecting the entirety of the enterprise.  

2\. Reevaluate vendor testing: Platforms such as CrowdStrike have transformed to become a core component of critical infrastructure. Security vendors frequently push automatic updates to improve security, but this can also mean speeding through the "trust but verify; walk before you run; test test test" cycles. While speed matters, this incident should force teams to take a closer look at how they deploy updates, ensure integrity and availability, and maintain business resiliency.  

IT and security teams must reevaluate overreliance on vendor testing and automatic updates. Even small teams can have the flexibility to choose when to update without incurring substantial overhead. The update is automatic — but the time and place to update can be chosen. Leaders should consider implementing staggered updates, using staging and testing environments to certify and assess the viability and stability of the update. More credence and consideration should be given to the value of updating now versus waiting to give more ability to ensure that the integrity and availability won't be compromised by the update.  

3\. Improve testing environments: Companies must ensure that cybersecurity teams have adequate testing environments available for certifying and testing security updates and implementations. The same diligence given to IT and development teams must be applied to cybersecurity.  

Security is no longer software; it's a foundational component of critical infrastructure. As seen with the CrowdStrike event, banks, transportation, manufacturing, and financial markets can all be devastated by a failure of the security ecosystem. As the industry continues to see convergence of solutions to a few vendors, it's important to make these platforms more resilient.   

The true measure of our cybersecurity prowess lies in our capacity to endure. Teams should embrace those proven patterns of change management that have served us well in the past, but also evolve and expand in scope to accommodate new technology and new potential threats. Vendors must empower customers with greater control and flexibility in how and why they deploy our solutions and updates. Technology and security practitioners, in turn, must use this moment as a clarion call to rethink priorities and recommit to balancing and counterbalancing the security, integrity, and availability drivers that empower our security tools.   

This creates a durable security future, regains and rebuilds essential fiduciary trust, and ensures that teams can rise to every threat while never again falling into complacency, valuing speed and ease at the expense of everything else. 

**About the Author**

CISO, Silverfort

John Paul Cunningham is the CISO of Silverfort. He has a passion for managing security and risk within firms, and has built and led information security, risk management, comprehensive technology organizations, and developed customer-facing organizations built on customer and organizational success. His sphere of influence extends from the board room to the break room, where he brings business and technology together to deliver solutions that propel the organization forward to achieve its goals.

Can Automatic Updates for Critical Infrastructure Be Trusted?

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing…

Scammers are exploiting DocuSign’s APIs to send realistic fake invoices, primarily targeting security software like Norton. This phishing technique bypasses traditional email spam filters by originating from legitimate DocuSign accounts and templates, making detection challenging.

Cybersecurity researchers at automated API security solutions provider, Wallarm, have revealed a new threat exploiting DocuSign APIs to send phishing invoices. The company reports that cybercriminals are employing a new phishing technique that leverages the legitimacy of DocuSign’s platform. By exploiting DocuSign’s APIs, attackers send highly authentic-looking fake invoices that evade traditional email filters.

This clever approach increases the risk for organizations and unsuspecting users, as it capitalizes on the trust associated with reputable platforms, making detection quite challenging.

In its latest blog post shared exclusively with Hackread.com ahead of its publishing on Monday, the modus operandi of these attacks involves the creation of paid DocuSign accounts. These accounts grant attackers the ability to modify templates and utilize APIs for automated document generation and distribution.

By customizing official DocuSign templates to mimic **well-known brands**, such as cybersecurity giant Norton, cybercriminals can create convincing invoices that are difficult to distinguish from legitimate communications. The automation capabilities provided by DocuSign’s APIs enable attackers to efficiently distribute these fraudulent invoices at scale, maximizing their potential impact. It happens because DocuSign’s API-friendly environment allows attackers to customize invoices to match company branding.

Fake Norton invoices (Screenshot via Wallarm)

“These fake invoices may contain accurate pricing for the products to make them appear authentic, along with additional charges, like a $50 activation fee. Other scenarios include direct wire instructions or purchase orders,” the **blog post** read.

The consequences of these attacks are major. Victims may e-sign fraudulent invoices, authorizing unauthorized payments. Furthermore, the legitimacy of DocuSign’s platform allows phishing emails to bypass traditional spam filters, increasing the chance of successful delivery. 

****Mitigating and Protection****

To mitigate the risks associated with these attacks, organizations must adopt a multi-faceted approach. Firstly, it is important to verify the authenticity of sender credentials, including email addresses and sender accounts. Implementing strict internal approval processes for financial transactions can also help prevent unauthorized payments.

Additionally, organizations should prioritize **employee awareness training** to educate staff about this increasing threat. By regularly monitoring for irregularities in invoices, such as unexpected charges or unusual requests, organizations can identify and respond to potential threats. Finally, following **DocuSign’s anti-phishing guidelines** can provide additional protection.

1.  **Microsoft Warns of Tax Returns Phishing Scams**
2.  **Blank Images Used to Evade Anti-Malware Checks**
3.  **Scammers using Google Docs exploit in phishing links**
4.  **Microsoft Office Most Exploited Software in Malware Attacks**
5.  **LinkedIn Phishing Scam Steals Gmail Credentials Via Google Docs**

Latest News