A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory.
The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions.
IdentityIQ "allows

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Cybersecurity researchers have called attention to a novel phishing campaign that leverages corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses.
"The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox," ANY.RUN said in a series of posts on X.
The

Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses

BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

Source: Andrey Suslov via Alamy Stock Photo

NEWS BRIEF

In an effort to convince consumers that it's safe to answer their phones, root of trust provider SecureG has partnered with CTIA, a trade association that represents the wireless communications industry, on an initiative intended to deliver a secure branded call experience for businesses.

Branded Calling ID (BCID) is an industry-led, standards-based Rich Call Data project to create a secure, interoperable ecosystem in which businesses can embed information like their logos and reason for calling when they reach out to consumers by phone. BCID digital signatures are secured by SecureG's public key infrastructure (PKI) solutions. 

"No one wants to answer their phone because of all the spam and scams, and it is only getting worse now that AI-generated voices can impersonate people and businesses," said Todd Warble, CTO of SecureG, in a statement. BCID has a secure-by-design foundation that enables consumers to trust the authenticity of the brands and intentions of the caller, Warble said.

To secure the caller's brand identity, SecureG provides high-assurance operations of the CTIA Secure Telephone Identity Certification Authority (CTIA STI-CA), Intermediate Certification Authority, and the Certificate Repository. The SecureG trust anchors, secured in hardened concrete bunkers, give BDIC the ability to authenticate participants to sign calls. The BCID system is designed to work across networks and mobile phones, and enterprise customers pay only for branded calls that are confirmed delivered. 

BCID allows businesses to brand their calls while preventing scammers and spammers from gaining access to NCID signing certificate. BCID is designed to work seamlessly across networks and mobile phones, so enterprise businesses can deliver trusted, branded calls to their consumers.

The initiative is aimed at reducing the risk of fraud and spam calls from bad actors who impersonate real businesses. A recent survey found that three-quarters of respondents would answer a call if the caller was authenticated by a name, logo, or reason for the call, the company said in a statement. BCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.

**About the Author**

Contributing Writer

Jennifer Lawinski is a writer and editor with more than 20 years experience in media, covering a wide range of topics including business, news, culture, science, technology and cybersecurity. After earning a Master's degree in Journalism from Boston University, she started her career as a beat reporter for The Daily News of Newburyport. She has since written for a variety of publications including CNN, Fox News, Tech Target, CRN, CIO Insight, MSN News and Live Science. She lives in Brooklyn with her partner and two cats.

SecureG, CTIA Project Secures Business Phone Calls

SUMMARY Cybercriminals are exploiting SpyLoan, or predatory loan apps, to target unsuspecting users globally. McAfee cybersecurity researchers report…

****SUMMARY****

*   **SpyLoan Rise:** SpyLoan apps have increased by 75% between Q2 and Q3 2024, targeting users globally.

*   **Play Store Threat:** 15 malicious loan apps on Google Play have been downloaded over 8 million times.

*   **How They Work:** These apps lure users with fake loan offers, harvest sensitive data, and exploit victims financially.

*   **Global Impact:** High prevalence reported in India, Mexico, the Philippines, Kenya, and seven other countries.

*   **Staying Safe:** Users should research apps, avoid granting excessive permissions, and use antivirus software.

Cybercriminals are exploiting SpyLoan, or predatory loan apps, to target unsuspecting users globally. McAfee cybersecurity researchers report a whopping 75% rise in SpyLoan apps and infected devices between Q2 and Q3 of 2024. These apps lure users with promises of quick, hassle-free loans but are designed to harvest sensitive data, resulting in extortion, harassment, and financial losses.

This increase can be understood by the fact that researchers spotted 15 such apps on the official Google Play Store with over 8 million installations worldwide. These apps, especially targeting users in South America, Southern Asia, and Africa, use social engineering tactics to trick users into providing sensitive information and granting excessive permissions.

Malicious apps (Credit: McAfee)

Here’s a list of malicious PayLoan apps found on the Google Play Store:

1.  **Préstamo Seguro-Rápido, seguro** – Downloads 1M, Country: Mexico – Deleted
2.  **Préstamo Rápido-Credit Easy** – Downloads 1M, Country: Colombia – Available
3.  **ได้บาทง่ายๆ-สินเชื่อด่วน** – Downloads: 1M, Country: Senegal – Available
4.  **RupiahKilat-Dana cair** – Downloads: 1M, Country: Senegal – Available
5.  **ยืมอย่างมีความสุข – เงินกู้** – Downloads: 1M, Country: Thailand – Deleted
6.  **เงินมีความสุข – สินเชื่อด่วน** – Downloads: 1M, Country: Thailand – Deleted
7.  **KreditKu-Uang Online** – Downloads: 500K, Country: Indonesia – Deleted
8.  **Dana Kilat-Pinjaman kecil** – Downloads: 500K, Country: Indonesia – Available
9.  **Cash Loan-Vay tiền** – Downloads: 100K, Country: Vietnam – Available
10.  **RapidFinance** – Downloads: 100K, Country: Tanzania – Deleted
11.  **PrêtPourVous** – Downloads: 100K, Country: Senegal – Deleted
12.  **Huayna Money – Préstamo Rápido** – Downloads: 100K, Country: Peru – Deleted
13.  **IPréstamos: Rápido Crédito** – Downloads: 100K, Country: Chile – Available
14.  **ConseguirSol-Dinero Rápido** – Downloads: 100K, Country: Peru – Deleted
15.  **ÉcoPrêt Prêt En Ligne** – Downloads: 50K, Country: Thailand – Available

****How SpyLoan Apps Work****

These apps operate by using a common framework to encrypt and exfiltrate data from a victim’s device to a command and control (C2) server. They often use deceptive marketing, mimicking reputable financial institutions, and are promoted through social media ads. Once installed, they request unnecessary permissions, such as access to contacts, SMS, storage, and even a microphone or camera.

The apps then use a similar onboarding process, including a countdown timer to create a sense of urgency and require users to provide sensitive identification documents and personal information. This data is then exfiltrated and used for financial exploitation, including hidden fees and high interest rates, as well as privacy violations, such as data misuse and harassment.

The consequences of using these apps can be devastating. Users have reported receiving threatening calls and death threats, having personal photos and IDs misused, and experiencing emotional and psychological distress. In some cases, victims have even reported suicidal thoughts.

The threat of SpyLoan apps is not limited to a single region. They have been reported globally, with localized adaptations. India, Mexico, Philippines, Indonesia, Thailand, Kenya, Colombia, Vietnam, Chile, and Nigeria are among the top 10 countries with the highest prevalence of fake loan apps.

****Law Enforcement Actions****

While law enforcement agencies have taken action against some of these operations, the threat persists. In Peru, authorities raided a call center engaged in extortion and fake loan app operations, detaining over 300 individuals. In Chile, the commission for the financial market has highlighted tens of fraudulent credit applications distributed on Google Play.

****Protecting Yourself****

To avoid falling victim to these predatory loan apps, users must be cautious when downloading financial apps. Here are some tips:

*   Read reviews and check ratings
*   Research the app and its developer thoroughly
*   Be wary of apps that request excessive permissions
*   Use reputable antivirus software to detect and block malicious apps
*   Never provide sensitive information without verifying the app’s legitimacy

1.  New Tool DVa Detects and Removes Android Malware
2.  Scammers Using Fake Loan Apps for Money Laundering
3.  These 8 Apps on Play Store Contain Android/FakeApp Trojan
4.  “Scary” FakeCall Android Malware Captures Photos and OTPs
5.  Octo2 Android Malware Uses Fake NordVPN App to Infect Phones

15 SpyLoan Apps Found on Play Store Targeting Millions

Organizations that rely on their content delivery network provider for Web application firewall services may be inadvertently leaving themselves open to attack.

Source: ArtemisDiana via Shutterstock

Many organizations using Web application firewall (WAF) services from content delivery network (CDN) providers may be inadvertently leaving their back-end servers open to direct attacks over the Internet because of a common configuration error.

The problem is so pervasive that it affects nearly 40% of Fortune 100 companies leveraging their CDN providers for WAF services, according to researchers at Zafran who studied the cause and scope of the problem recently. Among the organizations that the researchers found susceptible to attacks included recognizable brands, including Chase, Visa, Intel, Berkshire Hathaway, and UnitedHealth.

**Pervasive Issue**

WAFs act as intermediaries between users and Web applications. They inspect traffic for a range of threats and block or filter anything deemed suspicious or matching known patterns of malicious activity. Many organizations have deployed WAFs in recent years to protect Web applications against vulnerabilities they haven't had time to patch.

Organizations have multiple options for deploying WAFs, including on-premises in the form of physical or virtual appliances. There are also cloud- and host-based WAFs.

In total, Zafran found some 2,028 domains belonging to 135 companies among the Fortune 1000 that contain at least one supposedly WAF-protected server that an attacker could directly access over the Internet to launch denial-of-service (DoS) attacks, distribute ransomware, and execute other malicious activities.

"The responsibility \[for\] the misconfiguration lies primarily \[with\] the customers of CDN/WAF providers," says Ben Seri, chief technology officer of Zafran. But CDN providers who offer WAF services share some responsibility as well for failing to offer customers proper risk avoidance measures and for not building their networks and services to circumvent misconfigurations in the first place, he says. 

The problem, as Seri explains it, has to do with organizations not adequately validating Web requests to back-end origin servers that host the actual content, applications, or data that users are trying to access.

**A Failure to Follow Best Practices**

With a CDN-integrated WAF service, the CDN provider — like a Cloudflare or an Akamai — provides the WAF as part of its edge infrastructure. All incoming traffic to an organization's Web applications is routed through the CDN's WAF — a reverse proxy server within the vendor's edge network. The reverse proxy identifies which back-end server or resource a particular Web request is intended for and then routes it there in an encrypted fashion. "This means that when a CDN service is used as a WAF, the web application it protects is open to Internet traffic and is expected to validate that it responds only to web traffic that originates from and by the CDN service," according to the Zafran blog post.

If the customer is using best practices, the IP address of the back-end server is something that only the customer and CDN provider would know. CDN providers also recommend that organizations add IP filtering mechanisms to ensure that only requests from the CDN provider's IP address range are permitted access to back-end servers. Other recommendations include using pre-shared digital secrets known only to the CDN provider and the back-end server as a validation mechanism, and using what is known as mutual TLS authentication to validate both the origin server and the CDN provider's proxy server.

These measures are effective in protecting back-end servers when implemented correctly. But what Zafran discovered was that many organizations have not adopted any of these recommended validation precautions, thereby leaving back-end servers directly accessible over the Internet. "It is a lack of validation in Web applications that are designed to be protected by a CDN/WAF that leaves them open to all Internet traffic," Seri says. "It is like having a private S3 bucket left open to the Internet as a public bucket. Only in this case, it is protected Web applications that are left open to the Internet, instead of allowing only inbound traffic from the CDN provider."

**Easy to Find**

Exacerbating the situation is the fact that the IP addresses of enterprise origin services are not as private as many assume, Zafran's researchers found. The security vendor pointed to certificate transparency (CT) logs as one example of a relatively easy place for attackers and researchers to discover all domains belonging to a specific organization. CT logs provide a publicly accessible record of all SSL/TLS certificates that certificate authorities issue to website operators and are meant to improve trust and accountability around certificate issuance. Unfortunately, they also provide a starting point for attackers to gather detailed information on all the domains and subdomains belonging to an organization, including those associated with critical back-end servers and services.

"The issue was discovered to be extremely widespread," Seri says. "From a random sample of Internet servers that were designed to be protected by Cloudflare, 13% were found to suffer from this misconfiguration. This means that, potentially, 13% of all domains protected by Cloudflare can be directly attacked." Unfortunately, CDN/WAF providers require the cooperation of their customers, who control their own load balancers and Web applications, to mitigate this threat, he adds. Zafran is contacting affected companies as well as impacted CDN/WAF providers to help them quickly identify the full extent of this misconfiguration and address it, Seri says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Misconfigured WAFs Heighten DoS, Breach Risks

PRESS RELEASE

NEW YORK, Dec. 3, 2024 /PRNewswire/ -- BigID, a data security, privacy, compliance, and AI data management company, today announced the launch of Data Activity Monitoring. BigID empowers organizations to proactively identify risks, respond faster to potential threats, and help strengthen regulatory compliance. BigID's Data Activity Monitoring helps organizations manage the risk of data breaches and strengthens their overall security posture by alerting on potential insider risk, unauthorized access, and data misuse.

Unlike traditional Data Detection & Response (DDR) tools that are limited to sensitive data discovery and policy violations, BigID's Data Activity Monitoring goes further by tracking data access activity. With insights into who is accessing data, when, how, and what they're doing with it, Data Activity Monitoring enhances the contextual intelligence needed for comprehensive data security and proactive breach prevention.

Key Benefits of BigID's Data Activity Monitoring:

*   Enhanced Security Decision-Making: Get contextual, data-driven insights for more accurate decisions on access control, retention, and remediation.
    
*   Proactive Risk & Access Management: Monitor activity around sensitive data to identify unnecessary permissions, over-permissioned users, and potential insider threats before breaches occur.
    
*   Streamlined Compliance & Auditing: Generate detailed audit trails that help meet regulatory requirements, simplifying compliance and enhancing data governance.
    
*   Efficient Security Investigations: Gather contextual insights into data access patterns, enabling faster investigations and accurate remediation.
    
*   Improved Data Ownership Accountability: Track user interactions with data to clarify ownership and facilitate efficient delegation of security tasks.
    

"With Data Activity Monitoring, we're redefining the level of control and visibility organizations have over their data," said Dimitri Sirota, CEO of BigID. "Our customers need to be able to not only have visibility into their sensitive data but also understand how it's accessed and used, and enact controls around it. BigID's Data Activity Monitoring goes beyond detection, providing near real-time insights necessary to help prevent data breaches, support compliance, and empower security teams to make informed decisions."

To learn more: 

About BigID

BigID empowers organizations to know their enterprise data and take action for data-centric security, privacy, compliance, AI innovation, and governance. Customers deploy BigID to proactively discover, manage, protect, and get more value from their regulated, sensitive, and personal data across their data landscape.

BigID has earned numerous accolades, including being highlighted as CRN's top 100 security companies two years in a row in 2024 and 2023, a finalist in CRN's 2024 Tech Innovator Awards, recognized as the most innovative security company of the year for its AI data security in the 2024 Globee Awards, and named as a "Market Leader Data Security Posture Management (DSPM)" in the 2023 Global InfoSec Awards. Additionally, BigID's impressive growth earned it a spot on the 2024 Deloitte 500 for the fourth consecutive year, one of CNBC's Top 25 Startups for the Enterprise, named to the Forbes Cloud 100, and recognized on the 2024 Inc. 5000 for the fourth consecutive year.

You May Also Like

BigID Releases Data Activity Monitoring to Extend DDR, Detect Malicious Actors, and Strengthen Data Security Posture

PRESS RELEASE

TAMPA BAY, Fla., Dec. 3, 2024 /PRNewswire/ -- KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today released its Q3 2024 Phishing Report. This quarter's findings reveal the most frequently clicked email subjects in simulated phishing tests, demonstrating the continued efficacy of HR and IT-related phishing attempts.

KnowBe4's Q3 2024 Phishing Report reveals that HR and IT-related phishing emails claim a significant 48.6% share of top-clicked phishing types globally. Despite evolving techniques by bad actors, phishing emails remain among the most prevalent tools for executing cyberattacks. KnowBe4's 2024 Phishing by Industry Benchmarking Report reveals that about one in three users is susceptible to interacting with malicious links or fraudulent requests. Exploiting this vulnerability, cybercriminals craft deceptively authentic phishing emails that align with current trends, exploiting human emotions to invoke urgency and trick recipients into clicking malicious links or opening harmful attachments.

The report spotlights the ongoing threat posed by email-embedded phishing links, which continue to be the top attack vector of choice. These malicious links, PDF attachments and spoofed domains, when interacted with, often result in disastrous cyberattacks, including ransomware attacks and business email compromise. The report also reveals a surge in phishing campaigns leveraging QR codes. Popular QR code phishing subjects include HR reminders for policy reviews, DocuSign emails to sign an urgent document, and Zoom meeting invitations. These messages, often masquerading as communication from HR, colleagues or external vendors, pose substantial risks as they can easily be replicated by malicious actors.

"Our latest phishing report underscores the evolving sophistication of phishing tactics, with cybercriminals increasingly exploiting the trust employees place in internal communications," said Stu Sjouwerman, CEO of KnowBe4. "The prevalence of HR and IT-themed phishing attempts, coupled with emerging techniques like QR code integration, presents a complex threat landscape. These tactics are particularly deceptive as they leverage the perceived legitimacy of trusted sources, often prompting hasty actions before verification. In this rapidly changing environment, a well-trained workforce and a robust security culture are not just beneficial—they are essential. By prioritizing human risk management, organizations can effectively build a formidable defense against avoidable cyberthreats."

To download a copy of the Q3 2024 KnowBe4 Phishing Report infographic, visit here.

About KnowBe4 

KnowBe4 empowers workforces to make smarter security decisions every day. Trusted by over 70,000 organizations worldwide, KnowBe4 helps to strengthen security culture and manage human risk. KnowBe4 offers a comprehensive AI-driven 'best-of-suite' platform for Human Risk Management, creating an adaptive defense layer that fortifies user behavior against the latest cybersecurity threats. The HRM+ platform includes modules for awareness & compliance training, cloud email security, real-time coaching, crowdsourced anti-phishing, AI Defense Agents, and more. As the only global security platform of its kind, KnowBe4 utilizes personalized and relevant cybersecurity protection content, tools and techniques to mobilize workforces to transform from the largest attack surface to an organization's biggest asset.

You May Also Like

KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report

Companies today constantly look for ways to improve their work with customers and perform better overall. The transition…

Companies today constantly look for ways to improve their work with customers and perform better overall. The transition to a more digital approach has become important for businesses that want to stay ahead in the market. A big part of this change is using customer relationship management (CRM) systems. Salesforce is one of the top choices for CRMs because it offers a wide range of features that can be adapted to different industries. This article will explore how using Salesforce can help drive digital transformation in organizations.

****Understanding Digital Transformation****

Digital transformation involves integrating technology into various aspects of business operations to change how companies function and fundamentally provide value to customers. It encompasses a culture shift that requires organizations to question traditional approaches, test new technologies, and adjust to evolving market trends.

According to Skydog Ops, a Salesforce integration company, Salesforce hosts more than 150,000 customers worldwide including Apple, Amazon Web Service and Walmart Inc, showcasing productivity and enhanced customer satisfaction.

****The Significance of CRM Systems****

Customer Relationship Management (CRM) systems play a critical role in driving transformation initiatives by enabling businesses to manage interactions with current and prospective customers more efficiently. These tools assist companies in gathering and analyzing customer data to improve decision-making and tailor experiences. Through the use of CRM systems, businesses can optimize their operations, automate tasks, and cultivate meaningful connections with customers.

****Salesforce: A Leader in CRM Solutions****

Salesforce has emerged as a leader in the CRM industry with its range of cloud-based solutions designed for sales support, customer service, and other business needs. Among the platform’s functionalities are wide applications that help businesses organize customer information, analyze interactions, and gather valuable insights. These tools are customized to fit an organization’s goals during its digital transformation efforts.

****Enhancing Customer Experience****

One of the primary goals of digital transformation is to enhance the customer experience, and Salesforce aids in achieving this by enabling companies to offer personalized and seamless interactions across various platforms. Leveraging real-time customer data allows businesses to customize their marketing strategies, delivering relevant content and promotions. Furthermore, with Salesforce’s automation features, organizations can provide timely responses to customer queries, improving satisfaction and fostering customer loyalty.

**Streamlining Business Processes**

Integrating Salesforce into business operations can greatly improve efficiency by automating routine tasks and enabling employees to focus on strategic priorities instead of manual work such as data entry, reporting, or workflow management. This shift toward automation helps minimize errors and boosts productivity across the organization. These improvements align with the goals of digital transformation, which seek to enhance both efficiency and effectiveness.

****Data-Driven Decision Making****

In today’s digital age, data is a valuable asset, and Salesforce equips businesses with the tools to unlock its full potential. By utilizing the in-depth analytics and reporting tools provided by Salesforce, businesses can gain insights into customer behaviour, discover sales patterns, and identify market opportunities. This data-driven approach allows companies to make informed decisions, refine strategies, and highlight areas for improvement—ultimately leading to enhanced agility and adaptability in response to evolving market dynamics.

****Fostering Collaboration and Innovation****

Salesforce’s use of cloud technology promotes collaboration by improving communication between departments and sparking creativity through shared access to information and ideas across the organization. The ability to work together seamlessly helps foster innovation and drives organizational growth.

****Scalability and Flexibility****

As companies grow and evolve, their requirements change. Salesforce’s scalability allows businesses to adapt their CRM system to meet the demands of growth and shifting circumstances. The platform’s versatility enables organizations to integrate new functionalities and applications, tailoring the system to meet their specific needs. This flexibility ensures that Salesforce remains a valuable tool throughout the entire transformation process.

****Overcoming Implementation Challenges****

Implementing Salesforce comes with its own set of challenges that organizations must address. Proper planning and execution are essential to avoid setbacks. To ensure a smooth rollout, it’s important to evaluate business requirements, set clear goals, and provide adequate training for employees. Working with professionals or consultants can also make the process more efficient, allowing businesses to fully leverage the benefits of Salesforce.

****Conclusion****

The use of Salesforce is crucial in leading the digital evolution of businesses across various sectors. Its wide range of features, flexibility, and focus on customer satisfaction make it an effective tool for improving productivity, promoting creativity, and gaining a competitive advantage. By adopting Salesforce, organizations can unlock the full benefits of digital transformation and position themselves for long-term success in an increasingly digital world.

1.  A Look at the 4 Main Functionalities of NetSuite
2.  The Role of Artificial Intelligence in Lead Generation
3.  How to Find Success with the Salesforce Admin Exam
4.  Types of SaaS Applications: Categories and Examples
5.  Effective, and powerful tools for identifying site visitors

The Role of Salesforce Implementation in Digital Transformation

A change in ownership and what it means for our readers.

Source: Informa TechTarget

Dear Reader,

Today, Informa Tech, the company behind Dark Reading, is combining with TechTarget's technology websites and Industry Dive's award-winning industry publications to create a new company: Informa TechTarget.

Our editorial footprint is greatly expanding. The combined Informa TechTarget newsroom features many of the most trusted publications in B2B media, over 300 world-class business journalists, and in-depth coverage across 30+ technology segments and 45+ industry verticals. In 2025 alone, we expect to produce over 60,000 stories that provide essential information for our readers across many markets. 

For more information, you can read the company's press release and check out our combined portfolio of publications.

Our commitment to you remains the same here at Dark Reading. Our group of highly experienced cybersecurity journalists will continue to independently report on the most notable developments, innovations, and disruptions in our industry. Whether navigating new technologies, cyber threats and vulnerabilities, regulations, or market dynamics, you need insight you can trust to make smart decisions and navigate the evolving cybersecurity business landscape. Readers who come to Dark Reading can expect reliable industry information they can't get anywhere else. 

Thank you for reading — and stay tuned for more vital coverage and resources as we continue to grow.

Kelly Jackson Higgins

Editor-in-Chief, Dark Reading

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Note From the Editor-in-Chief

An implementation bug in the Kolide Agent (known as `launcher`) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. Impacted versions include versions >= 1.5.3 and the fix has been released in 1.12.3. 

The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory (#1510). This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process's search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM.

This issue was found by Bryan Alexander of Atredis Partners and responsibly reported through the Kolide bug bounty program. Kolide made the appropriate changes and released a fix in version 1.12.3 of the `launcher` package.


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-54131

**Kolide Agent Privilege Escalation (Windows, Versions >= 1.5.3, < 1.12.3)**

High severity GitHub Reviewed Published Dec 3, 2024 in kolide/launcher • Updated Dec 3, 2024

**Package**

gomod github.com/kolide/launcher (Go)

**Affected versions**

\>= 1.5.3, < 1.12.3

An implementation bug in the Kolide Agent (known as launcher) allows for local privilege escalation to the SYSTEM user on Windows 10 and 11. Impacted versions include versions >= 1.5.3 and the fix has been released in 1.12.3.

The bug was introduced in version 1.5.3 when launcher started storing upgraded binaries in the ProgramData directory (#1510). This move to the new directory meant the launcher root directory inherited default permissions that are not as strict as the previous location. These incorrect default permissions in conjunction with an omitted SystemDrive environmental variable (when launcher starts osqueryd), allows a malicious actor with access to the local Windows device to successfully place an arbitrary DLL into the osqueryd process's search path. Under some circumstances, this DLL will be executed when osqueryd performs a WMI query. This combination of events could then allow the attacker to escalate their privileges to SYSTEM.

This issue was found by Bryan Alexander of Atredis Partners and responsibly reported through the Kolide bug bounty program. Kolide made the appropriate changes and released a fix in version 1.12.3 of the launcher package.

**References**

*   GHSA-66q9-2rvx-qfj5
*   kolide/launcher#1510

Published to the GitHub Advisory Database

Dec 3, 2024

Latest News