A vulnerability was found in Ruijie BCR810W 2.5.10. It has been rated as critical. This issue affects some unknown processing of the component Tracert Page. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-233477 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-3608

By Waqas
Revolut has not yet issued an official statement regarding the cyber attack.
This is a post from HackRead.com Read the original post: Global Neobank Revolut Hacked; $20 Million Stolen

**The breach, which occurred in early 2022, was reportedly the result of the exploitation of an undisclosed vulnerability in Revolut’s payment systems.**

Revolut, a global neobank and financial technology company, fell victim to a devastating cyber attack earlier this year, resulting in the theft of over $20 million from the company’s funds.

The breach, which occurred in early 2022, was only recently brought to light by the Financial Times, relying on information from anonymous sources familiar with the incident. Revolut has yet to publicly disclose the breach.

According to the **report**, the attack exploited an undisclosed vulnerability in Revolut’s payment systems. The flaw, which remained undetected until late 2021, revolved around inconsistencies between the company’s U.S. and European systems. Consequently, when certain transactions were declined, the systems erroneously refunded the amounts using Revolut’s own money.

Unfortunately, organized criminal groups capitalized on this flaw, orchestrating a scheme that enticed individuals to make high-value purchases they knew would be declined. The refunded amounts were then **swiftly withdrawn from ATMs**, further exacerbating the breach. It is important to note that specific technical details related to the vulnerability remain undisclosed.

The cyber attack resulted in the theft of approximately $23 million from Revolut. However, diligent efforts to track down those responsible led to the recovery of some of the stolen funds. In the end, Revolut incurred a substantial net loss of approximately $20 million due to this mass fraud scheme.

Revolut, a popular digital banking platform known for its user-friendly interface and global presence, has been making significant strides in the fintech industry. The company boasts over 15 million customers worldwide, offering a range of financial services, including money transfers, cryptocurrency trading, and investment options. This cyber attack has dealt a significant blow to the reputation of the neobank and highlights the ongoing challenges faced by companies operating in the digital realm.

As news of the breach circulates, concerns about the security of digital banking systems have resurfaced, raising questions about the robustness of existing cybersecurity measures in the financial sector. Revolut’s failure to detect and address the vulnerability in a timely manner underscores the pressing need for enhanced security protocols and greater vigilance in protecting user funds.

Revolut has not yet issued an official statement regarding the cyber attack. However, industry experts and stakeholders eagerly await the company’s response, as it will undoubtedly play a crucial role in determining the future course of action for the neobank. As the investigation progresses, authorities will be working diligently to identify the culprits behind the breach and hold them accountable for their actions.

This incident serves as a stark reminder that the rapid digitization of financial services must be met with robust cybersecurity measures. Financial institutions and fintech companies must remain ever-vigilant in their efforts to safeguard user data and funds from **increasingly sophisticated cyber threats**.

**RELATED ARTICLES**

1.  Qatar National Bank Hacked, 1.4GB Database Leaked
2.  Gone: Russian Central Bank hacked; $31 million stolen
3.  Brazilian Hackers Hit Portuguese Banks in Malware Attack
4.  Hacker Leaks 73M Records from Indian HDFC Bank Subsidiary

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Global Neobank Revolut Hacked; $20 Million Stolen

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between June 30 and July 7. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for June 30 to July 7

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the command parameter in the setTracerouteCfg function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-37173: Vuls/TOTOLINK/A3300R/cmdi_4 at main · kafroc/Vuls

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

Not yet — but it can help make incremental progress in reducing vulnerability backlogs.

Organizations worldwide are in a race to adopt AI technologies into their cybersecurity programs and tools. A majority (65%) of developers use or plan on using AI in testing efforts in the next three years. There are many security applications that will benefit from generative AI, but is fixing code one of them?

For many DevSecOps teams, generative AI represents the holy grail for clearing their increasing vulnerability backlogs. Well over half (66%) of organizations say their backlogs are comprised of more than 100,000 vulnerabilities, and over two-thirds of static application security testing (SAST) reported findings remain open three months after detection, with 50% remaining open after 363 days. The dream is that a developer could simply ask ChatGPT to "fix this vulnerability," and the hours and days previously spent remediating vulnerabilities would be a thing of the past.

It's not an entirely crazy idea, in theory. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time — AI is hugely beneficial when applied to simple, repetitive tasks. But applying generative AI to complex code applications has some flaws, in practice. Without human oversight and express command, DevSecOps teams could end up creating more problems than they solve.

**Generative AI Advantages and Limitations Related to Fixing Code**

AI tools can be incredibly powerful tools for simple, low-risk cybersecurity analysis, monitoring, or even remedial needs. The concern arises when the stakes become consequential. This is ultimately an issue of trust.

Researchers and developers are still determining the capabilities of new generative AI technology to produce complex code fixes. Generative AI relies on existing, available information in order to make decisions. This can be helpful for things like translating code from one language to another, or fixing well-known flaws. For example, if you ask ChatGPT to "write this JavaScript code in Python," you are likely to get a good result. Using it to fix a cloud security configuration would be helpful because the relevant documentation to do so is publicly available and easily found, and the AI can follow the simple instructions.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing a more complex scenario for the AI to navigate. The AI might provide a "fix," but without verification, it should not be trusted. Generative AI, by definition, can't create something that is not already known, and it can experience hallucinations that result in fake outputs.

In a recent example, a lawyer is facing serious consequences after using ChatGPT to help write court filings that cited six nonexistent cases the AI tool invented. If AI were to hallucinate methods that do not exist and then apply those methods to writing code, it would result in wasted time on a "fix" that can't be compiled. Additionally, according to OpenAI's GPT-4 whitepaper, new exploits, jailbreaks, and emergent behaviors will be discovered over time and be difficult to prevent. So careful consideration is required to ensure AI security tools and third-party solutions are vetted and regularly updated to ensure they do not become unintended backdoors into the system.

**To Trust or Not to Trust?**

It's an interesting dynamic to see the rapid adoption of generative AI play out at the height of the zero-trust movement. The majority of cybersecurity tools are built on the idea that organizations should never trust, always verify. Generative AI is built on the principle of inherent trust in the information made available to it by known and unknown sources. This clash in principles seems like a fitting metaphor for the persistent struggle organizations face in finding the right balance between security and productivity, which feels particularly exacerbated at this moment.

While generative AI might not yet be the holy grail DevSecOps teams were hoping for, it will help to make incremental progress in reducing vulnerability backlogs. For now, it can be applied to make simple fixes. For more complex fixes, they'll need to adopt a verify-to-trust methodology that harnesses the power of AI guided by the knowledge of the developers who wrote and own the code.

Tag

#acer