Dark Reading's weekly roundup of all the OTHER important stories of the week.

Welcome to Dark Reading's weekly digest of the can't-miss stories of the week, featuring the lowdown on the Neopets breach and what it means for consumer-facing companies of all kinds; Google Drive and the trouble with the malicious use of cloud applications; a slew of disclosures about state-sponsored campaigns; and a Google Ads-related malvertising issue.  

Dark Reading's editors have gathered all of the interesting threat intelligence and cyber-incident stories that we just didn't get to earlier but would feel wrong not covering. In this week's "in case you missed it" (ICYMI) digest, read on for more on the following:

*   Neopets & Gaming's Lax Security
*   SolarWinds Hackers Embrace Google Drive in Embassy Attacks
*   Nation-State Attacks Ramp Up in APT-a-Palooza
*   Google Ads Abused as Part of Tech Support Scams

**Neopets & Gaming's Lax Security**

Neopets this week became the third gaming platform in the space of a week to be hit with a cyberattack (after Bandai Namco and Roblox), highlighting the interest that attackers have in hitting "leisure-activity" companies during the summer months. According to reports, the purveyor of virtual pets was robbed for its source code as well as the personal information belonging to its 69 million users.

A hacker who goes by the handle of "TarTarX" is putting the ill-gotten goods up for sale for 4 bitcoins, which translates to around $92,000 using Friday's exchange rate. The stolen PII appears to include data includes members' usernames, names, email addresses, ZIP codes, dates of birth, gender, country, and game-related information.

It's unclear how TarTarX gained access to the website, but Javvad Malik, security awareness advocate at KnowBe4, notes that the attack should be a wake-up call to all consumer-focused enterprises to better secure their data.

“We've seen toy manufacturers and games developers hit in the past due to the vast amount of personal data they collect," he says. "Such organizations should be mindful of the information they gather and the purpose of it. Holding excessive data means greater liability should a breach occur."

Any users impacted by the breach should ensure the password they used for Neopets isn’t used elsewhere, given the potential for credential-stuffing attacks, he adds.

**SolarWinds Hackers Embrace Google Drive in Embassy Attacks**

The hackers behind the sprawling SolarWinds supply chain attack are at it again, this time abusing Google Drive to smuggle malware onto targets' machines.

The advanced persistent threat (APT), tracked as APT29, Cloaked Ursa, Cozy Bear, or Nobellium, launched two waves of email-borne attacks between May and June. According to an analysis from Palo Alto Networks' Unit 42, the attacks targeted a foreign embassy in Portugal and another in Brazil. The group used a supposed agenda for an upcoming meeting with an ambassador as a lure.

"In both cases, the phishing documents contained a \[Google Drive\] link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload," according to Unit 42's post this week.

APT29 is believed by the US government to be affiliated with Russia’s Foreign Intelligence Service (SVR), and is widely considered to be responsible not only for SolarWinds but also the hack of the United States Democratic National Committee (DNC) in 2016.

The use of legitimate cloud services to deliver malicious payloads is on the rise as cybercriminals look to take advantage of the entrenched trust that millions of business users (and email gateways) have in them. Lior Yaari, CEO and co-founder of Grip Security, noted that this points to the need to better vet content coming from software-as-a-service (SaaS) app.

“The recent malicious activity discovered using Google Drive is emblematic of the SaaS security challenge — universal accessibility and ease of deployment," he said in a statement to Dark Reading. "Before Google Drive, there was Dropbox and before Dropbox, APT29 was hitting Microsoft 365. The SaaS security challenge for campaigns like these only illustrates the trend toward exploiting SaaS’s strengths for nefarious ends. And the matter only becomes worse with more SaaS out-of-sight for many security teams.”

**Nation-State Attacks Ramp Up in APT-a-Palooza**

Speaking of APTs, several nation-state-backed campaigns came to light this week. For instance, Citizen Lab said that it had forensically confirmed that at least 30 individuals were infected with NSO Group’s Pegasus mobile spyware after an extensive espionage campaign that took place late last year. The effort targeted Thai pro-democracy protesters and activists calling for reforms to the monarchy.

Google's Threat Analysis Group for its part flagged an odd false-flag operation in Ukraine. The Russia-linked hacking group Turla (aka Snake, Uroburos, and Venomous Bear) have created a malicious Android app that masquerades as a tool for Ukrainian hackers looking to carry out distributed denial-of-service (DDoS) attacks against Russian websites. Turla dubbed the app CyberAzov, in reference to the Azov Regiment or Battalion, a far-right group that has become part of Ukraine’s national guard.

CyberAzov is "hosted on a domain controlled by the actor and disseminated via links on third party messaging services," according to Google TAG. While the app is distributed under the guise of performing DDoS attacks, "the 'DoS' consists only of a single GET request to the target website, not enough to be effective."

In reality, the app is "designed to map out and figure out who would want to use such an app to attack Russian websites," according to an additional commentary from Bruce Schneier.

Meanwhile, Cisco Talos observed an unusual campaign targeting Ukrainian entities, which it said is likely attributable to Russia. This attack stood out amidst the barrage of cyberattacks that have been mounted against Ukraine, researchers said, because the attack targeted a large software development company whose wares are used in various state organizations within Ukraine.

"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack," researchers said in a posting this week, adding that the persistent access could also have been leveraged in other ways, including gaining deeper access into the company's network or launching additional attacks such as ransomware.

Also notable is the fact the effort revolved around "a fairly uncommon piece of malware" called GoMet; GoMet is an open source backdoor that was first seen in the wild in March.

And finally, the government of Belgium issued a statement disclosing a spate of attacks against its defense sector and public safety organizations emanating from three China-linked threat groups: APT27, APT30, and APT31 (aka Gallium or UNSC 2814).

The "malicious cyber activities … significantly affected our sovereignty, democracy, security and society at large by targeting the FPS Interior and the Belgian Defence," according to the statement.

**Google Ads Abused as Part of Tech Support Scams**

People performing a Google search for Amazon, Facebook, YouTube, or Walmart could find themselves browser-hijacked, researchers warned this week.

A malvertising campaign is abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams, according to Malwarebytes.

"The threat actors are … purchasing ad space for popular keywords and their associated typos," researchers explained in a posting. "A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result)."

In Google search results, those first returned links could be ads that redirect users to fake warnings urging them to call rogue Microsoft agents for support, researchers explained.

"Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them," researchers lamented.

The approach could just as easily be used to redirect to malicious sites serving up malware or phishing pages, researchers noted. Users — especially business users — should always take care to be skeptical when unexpected browser redirects occur.

ICYMI: Neopets & the Gaming Problem; SolarWinds Hackers Are Back; Google Ads Abused

Google on Thursday said it's backtracking on a recent change that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web.
"Privacy and transparency are core values in the Android community," the Android Developers team said in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and

Google on Thursday said it's backtracking on a recent change that removed the app permissions list from the Google Play Store for Android across both the mobile app and the web.

"Privacy and transparency are core values in the Android community," the Android Developers team said in a series of tweets. "We heard your feedback that you find the app permissions section in Google Play useful, and we've decided to reinstate it. The app permissions section will be back shortly."

To that end, in addition to showcasing the new Data safety section that offers users a simplified summary of an app's data collection, processing, and security practices, Google also intends to highlight all the permissions required by the app to make sense of its "ability to access specific restricted data and actions."

The reinstatement comes as the internet giant moved to swap out the apps permission section with the newer Data safety labels last week ahead of the enforcement deadline on July 20, 2022, which requires developers to provide information about "how they collect and handle user data for the apps they publish on Google Play."

A quick check, however, shows that apps like Tor Browser, Discord and those from Amazon, including its namesake app, Kindle, Alexa, Amazon Music, and Amazon Photos, continue to not include a Data safety section.

The new system also comes with its own set of problems in that it completely relies on the developers to make "complete and accurate declarations," potentially leading to scenarios where it could be misleading or flat-out inaccurate.

In contrast, the apps permission list is derived from the permissions declared by the developer in an app's manifest file.

It's worth noting that the Apple App Store has a similar policy in place for its privacy "nutrition" labels that allows developers to highlight "self‑reported summaries of some of their privacy practices," a method that, as a report from The Washington Post found, "falls short of being helpful."

Google, however, states in its support documentation that it may take appropriate enforcement action if it runs into cases where there is a discrepancy between app's behavior and its declaration.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Google Bringing the Android App Permissions Section Back to the Play Store

Scammers go mainstream by hijacking top Google searches and replacing them with malicious ads.
The post Google ads lead to major malvertising campaign appeared first on Malwarebytes Labs.

Fraudsters have long been leveraging the shady corners of the internet to place malicious adverts, leading users to various scams. However, every now and again we see a campaign that goes mainstream and targets some of the world’s top brands.

Case in point, we recently uncovered a malvertising chain abusing Google’s ad network to redirect visitors to an infrastructure of tech support scams. Unsuspecting users searching for popular keywords will click an advert and their browser will get hijacked with fake warnings urging them to call rogue Microsoft agents for support.

What makes this campaign stand out is the fact that it exploits a very common search behavior when it comes to navigating the web: looking up a website by name instead of entering its full URL in the address bar.

**Hijacking traffic from on a specific user flow**

The threat actors are abusing Google’s ad network by purchasing ad space for popular keywords and their associated typos. A common human behavior is to open up a browser and do a quick search to get to the website you want without entering its full URL. Typically a user will (blindly) click on the first link returned (whether it is an ad or an organic search result).

Let’s say you want to load YouTube and type ‘youtube’ instead of entering the full address ‘youtube.com’ in the browser’s address bar. The first result that appears shows ‘www.youtube.com’ so you are likely to trust it and click on it:

Hijacking traffic in such a way is a clever and likely profitable scheme outlining some of the issues and abuses associated with the placement of ads versus organic search results.

The top searches we have seen for malware-laden ads in this campaign are:

*   youtube
*   facebook
*   amazon
*   walmart

Victims were simply trying to visit those websites and relied on Google Search to take them there. Instead, they ended up with an annoying browser hijack trying to scam them.

**Cloaking and other violations**

The technique used to divert traffic for malicious purposes is known as cloaking and is based on two prerequisites:

*   User looks fake (non residential IP address, wrong user-agent string or simply a crawler)
    *   A redirect to the requested website will take place
*   User looks legitimate
    *   A redirect to a different site and different content happens

As per Google, “_Cloaking is considered a violation of Google’s Webmaster Guidelines because it provides our users with different results than they expected._” Again, based on Google’s policy violation a buyer that uses a creative (ad) containing malware can be suspended for a minimum of three months.

**Traffic and redirects**

There is a short chain of redirects leading to the browser locker. In this section we will take apart another malicious ad for Facebook this time. The ad is of course quite misleading as there is nothing that indicates that clicking on it would redirect anywhere else but to the requested website. Note how it appears before the top organic search result, guaranteeing a higher click rate.

The redirection mechanism is engineered in such a way that static analysis of the HTML code is difficult and does not give away the browser locker URL easily.

**First redirect**

This page determines whether to load decoy content (in this case the legitimate Facebook website) or a secondary script on the same attacker-controlled infrastructure.

**Second redirect**

This is where the browser locker URL is found and we can see that the threat actors don’t actually want to make a formal redirect but instead are loading it within an iframe.

When the page is rendered, the main address bar still shows the .com (cloaking domain) while the content is actually loaded from an iframe (100% width and height) from a disposable CloudFront URL.

**Multiple cloud platforms affected**

Below are examples of malvertising chains we have observed using slightly different variations but that we believe are related to the same threat actor. They used a clever approach by adopting different flows for the cloaking and browser locker such that detecting and taking down one would not impact the overall campaign.

Specifically, we see the threat actor using more expensive domains mixed with disposable domains on shady TLDs. For infrastructure, again they diversified between paid VPS on hosting companies and free cloud providers (PaaS).

**Traffic flow – case 1 : throwaway domains**

1.  **Google search**: google.com/search?q=walmart&{…}
2.  **DoubleClick ad network**: ad.doubleclick.net/ddm/clk/{…}
3.  **Cloaking domain**: ssgvbcxcc\[.\]ga/?url=https://www.walmart.com/ip/{…}
4.  **Browser locker**: prolesscodenet856\[.\]ml/erxczzxEr0rgdxvngEr0hjhvhhxEr0cbchk0252infoyxZdzc

**Traffic flow – case 2: IP address**

1.  **Google search**: google.com/search?q=walmart&{…}
2.  **Ad platform**: clickserve.dartsearch.net/link/click?\_v={…}
3.  **Cloaking domain**: gettouy\[.\]org/t2/?url=https://www.walmart.com/ip/{…}
4.  **Browser locker**: 159.203.183\[.\]136/windowsecurity/

**Traffic flow – case 3: Digital Ocean PaaS**

1.  **Google search**: google.com/search?q=facebook&{…}
2.  **Ad platform**: clickserve.dartsearch.net/link/click?\_v={…}
3.  **Cloaking domain**: playcrpm\[.\]com/?url=https://www.facebook.com/f{…}
4.  **Browser locker**: starfish-app-irxap.ondigitalocean\[.\]app/{…}&number=1-866-896-0189{…}

**Traffic flow – case 4: Azure cloud**

1.  **Google search**: google.com/search?q=zillow&{…}
2.  **Ad platform**: clickserve.dartsearch.net/link/click?\_v={…}
3.  **Cloaking domain**: vlt\[.\]me/.2zqd4/?url=https://www.zillow.com/?url={…}
4.  **Browser locker**: wdq23r2fdadqwdqwdfwedadasasd.azurewebsites\[.\]net/fC0deJdfd008f0d0CH888Err0r80dBG88/index.html

**Reporting and protection**

As far as we can tell, these different campaigns have been going on for several weeks already. Although we don’t have statistics to figure out how many people were exposed, we can infer that the number was high based on a couple of factors:

*   The ads target popular keywords (which also indicates that the threat actors are not opposed to paying a premium)
*   We were able to replay the malvertising chains in our lab multiple times (live replays of malvertising on high profile sites is usually difficult)

We reported the malicious ads and flagged them under the “_An ad/listing violates other Google Ads policies_” category.

We also shared and are currently sharing the cloaking domains infrastructure with relevant parties. The browlock domains themselves have such a short lifespan that it is practically useless to act upon them.

Meanwhile, Malwarebytes users were already protected against this campaign thanks to our heuristic detection of the browser locker pages that force a fullscreen and auto play an audio warning.

**Indicators of Compromise**

eauxedrill\[.\]com  
shopmealy\[.\]com  
aeowqpeqwpa924\[.\]ga  
ejdcvvdhsjdj\[.\]ml  
feopqwoeqw245\[.\]ga  
iowqepwoqe425\[.\]ga  
rasteringfileweb539\[.\]ga  
rsgdkffvsjkoavd\[.\]ml  
ssgvbcxcc\[.\]ga  
gettouy\[.\]org  
getcdprm\[.\]org  
playcrpm\[.\]com  
monhomedecore\[.\]com  
allnewz\[.\]site  
vlt\[.\]me  
youtubelinktrack\[.\]live  
morth\[.\]buzz  
abhihomeabh\[.\]com  
kalarahulshet\[.\]com  
tevarsingh\[.\]com  
bhtl\[.\]digital  
cduitiek\[.\]tk

Google ads lead to major malvertising campaign

Anchore Enterprise anchorectl version 0.1.4 improperly stored credentials when generating a Software Bill of Materials. anchorectl will add the credentials used to access Anchore Enterprise API in the Software Bill of Materials (SBOM) generated by anchorectl. Users of anchorectl version 0.1.4 should upgrade to anchorectl version 0.1.5 to resolve this issue.

**Anchore Enterprise 4.0.1**

Anchore Enterprise v4.0.1 is a patch release containing targeted fixes and improvements. No database upgrade is necessary.

**Fixes**

*   Fixes issues with vulnerability data matching for a small set of distros including Ubuntu, Oracle Linux, and Amazon Linux. All customers are recommended to upgrade to include this patch.

**AnchoreCTL**

The latest version of AnchoreCTL is **0.2.0**. AnchoreCTL is dependent on Syft **v0.39.3** as a library.

AnchoreCTL v0.1.4 is vulnerable to CVE-2022-1766, which was fixed in v0.1.5+. We strongly encourage users to upgrade to the latest version.

The current features that are supported are as follows:

*   Ability to add sboms via anchorectl using stdin to provide an existing SBOM without re-creating it.
*   Source Repository Management: Generate an SBOM and store the SBOM in Anchore’s database. Get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.
*   Download full image SBOMs for images analyzed with Enterprise 4.0.0.
*   Compliance Reports: View and operate on runtime compliance reports, such as STIGs, created by the rem tool.
*   Corrections Management: View and modify corrections information to help reduce false positives in your vulnerability results.
*   Image Management: View, list, import local analysis, and request image analysis by the system.
*   Runtime Inventory Management: Add, update, and view cluster configurations for Anchore to scan, as well as for the inventory reports themselves.
*   System Operations: View and manage system information for your Enterprise deployment.

Last modified April 29, 2022

CVE-2022-1766: Anchore Enterprise Release Notes - Version 4.0.1

Amazon's Ring is in hot water after revealing in a letter to Senator Ed Markey that it shared data without permission 11 times this year.
The post Ring shares data with police without consent (but it’s in good faith), says Amazon appeared first on Malwarebytes Labs.

Ring, the Amazon-owned company behind the popular smart doorbells, has admitted to giving doorbell data to law enforcement willy-nilly. All they have to do is fill out a form called the Amazon Law Enforcement Request Tracker—no need to ask for the data owner’s consent, give a warrant or court order. The company revealed this in response to a letter Senator Edward Markey (D-Mass.) sent Amazon in June 2022.

Senator Markey’s letter contains a request for updates regarding the steps Ring has taken “to remove private policing agencies from its Neighbors Public Safety Service (NPSS), reduce the potential for its products to be misused in harmful ways, and protect individuals’ right to privacy.” The NPSS is a means for public safety agencies, which include law enforcement, to connect with their local communities that can publicly share posts or video recordings to the Neighbors App feed.

Amazon responded in writing to Senator Markey’s letter, but the response was only revealed to the public recently. Below are some takeaway points from the response:

*   Ring refuses to change the default setting of automatically recording audio when recording videos via its doorbell camera.
*   Ring currently doesn’t have a voice recognition feature. But that doesn’t mean it won’t in the future.
*   There are currently 2,161 law enforcement agencies and 455 fire departments on the NPSS platform.
*   Ring generally doesn’t allow private security companies on NPSS, and it will only onboard such companies “if they are peace officers under state law and subject to constitutional restrictions.”
*   Ring affirms its right to respond immediately to law enforcement requests under emergency circumstances involving imminent danger of death or serious bodily harm. At times like these, it says, it will share details without asking for consent. And it has done so in 11 incidents this year.

Brendan Daley, Ring’s spokesperson, told Politico that although Ring doesn’t need user consent when handing footage to law enforcement with warrants, it does notify the owners of the video footages.

Speaking with Ars Technica, Policy Analyst for Electronic Frontier Foundation (EFF) Matthew Guariglia said, “There are always going to be situations in which it might be expedient for public safety to be able to get around some of the usual infrastructure and be able to get footage very quickly.”

> But the problem is that the people who are deciding what constitutes exigent circumstances and what constitutes the type of emergency, all of these very important safeguards, are Ring and the police, both of whom, as far as I know, don’t have a great reputation when it comes to deciding when it’s appropriate to acquire a person’s data.
> 
> ~ Matthew Guariglia, EFF

The Policing Project at New York University (NYU) School of Law recently concluded its two year audit of Ring to improve its products and services, focusing on NPSS. Ring admitted to making more than 100 changes to its products, policies, and legal practices. This includes the introduction of Requests for Assistance, which ensures transparency on the part of public safety agencies when asking for assistance from communities in the form of information or video as part of ongoing investigations. The company deliberately created Requests for Assistance to keep control of owners’ hands, not the requesting agencies.

When it comes to sharing private data, both the NYU and Guariglia have landed on the same conclusion: Policymakers need to lay more ground rules on how much private surveillance data police can rely on.

Ring shares data with police without consent (but it’s in good faith), says Amazon

The libtiff-4.0.3-35.amzn2.0.1 package for LibTIFF on Amazon Linux 2 allows attackers to cause a denial of service (application crash), a different vulnerability than CVE-2022-0562. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif_dirread.c. This will cause TIFFFetchStripThing() to segfault after use of an uninitialized resource.

**Amazon Linux 2 Security Advisory:** ALAS-2022-1814  
**Advisory Release Date:** 2022-07-06 03:14 Pacific  
**Advisory Updated Date:** 2022-07-14 22:21 Pacific

**Severity:** Medium  

**Issue Overview:**

A flaw was found in libtiff where a NULL source pointer passed as an argument to the memcpy() function within the TIFFReadDirectory() in tif\_dirread.c. This flaw allows an attacker to exploit this vulnerability via a crafted TIFF file, causing a crash and leading to a denial of service. (CVE-2022-0562)

A flaw was found in libtiff-4.0.3-35.amzn2.0.1 as packaged on Amazon Linux 2. When processing a malicious TIFF file, an invalid range may be passed as an argument to the memset() function within TIFFFetchStripThing() in tif\_dirread.c. This will cause TIFFFetchStripThing() to segfault. Actors can use this issue to potentially cause a Denial of Service condition. (CVE-2022-34266)

**Affected Packages:**

libtiff

**Issue Correction:**  
Run _yum update libtiff_ to update your system.  

  

**New Packages:**

aarch64:  
    libtiff-4.0.3-35.amzn2.0.2.aarch64  
    libtiff-devel-4.0.3-35.amzn2.0.2.aarch64  
    libtiff-static-4.0.3-35.amzn2.0.2.aarch64  
    libtiff-tools-4.0.3-35.amzn2.0.2.aarch64  
    libtiff-debuginfo-4.0.3-35.amzn2.0.2.aarch64

i686:  
    libtiff-4.0.3-35.amzn2.0.2.i686  
    libtiff-devel-4.0.3-35.amzn2.0.2.i686  
    libtiff-static-4.0.3-35.amzn2.0.2.i686  
    libtiff-tools-4.0.3-35.amzn2.0.2.i686  
    libtiff-debuginfo-4.0.3-35.amzn2.0.2.i686

src:  
    libtiff-4.0.3-35.amzn2.0.2.src

x86\_64:  
    libtiff-4.0.3-35.amzn2.0.2.x86\_64  
    libtiff-devel-4.0.3-35.amzn2.0.2.x86\_64  
    libtiff-static-4.0.3-35.amzn2.0.2.x86\_64  
    libtiff-tools-4.0.3-35.amzn2.0.2.x86\_64  
    libtiff-debuginfo-4.0.3-35.amzn2.0.2.x86\_64

CVE-2022-34266: ALAS2-2022-1814

Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise.

*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

BlogContact Sales

Try Puppet 

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce

*   Why Puppet
*   Products
*   Services
*   Open Source
*   Resources
*   Partners
*   About Puppet by Perforce
*   
*   Forge
*   Documentation
*   Get Support
*   Education
*   Events
*   Shop

Search Puppet.com

Puppet is the industry standard for IT automation.

Modernize, manage and bring your hybrid infrastructure into compliance through Puppet's powerful continuous automation.

*   Why Puppet 
*   Try Puppet 

**Guidebook**

*   What is Configuration Management
*   What is IT Compliance
*   What is IT Automation

**Use Cases**

*   Application delivery & operations
*   Continuous configuration automation
*   Continuous compliance
*   Continuous delivery
*   Patch management
*   Puppet for government
*   Operations tasks & orchestration
*   Windows infrastructure automation

**Get Puppet Enterprise**

First 10 nodes are free!

*   Try it now 
*   Request a demo 

**Products**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply
*   Puppet Relay

**Pricing & Packaging**

*   Pricing
*   Support services plans
*   Professional services

**Integrations**

*   Amazon Web Services
*   Google Cloud Platform
*   Hashicorp
*   PowerShell DSC
*   Windows Azure
*   ServiceNow
*   Splunk
*   VMware
*   All integrations

**Puppet Education**

Puppet Education is your learning portal for tools and best practices to address common business challenges.

*   Puppet Education 

**Professional services**

*   Start automating
*   Accelerate delivery
*   Integrate your toolchain
*   Harden infrastructure
*   Partner for success
*   Scale DevOps
*   All professional services

**Support**

*   Puppet support
*   Technical support packages
*   Technical account management

**Custom consulting services**

Get up and running quickly with a custom solution that addresses your unique business goals and easily allows for growth as your needs evolve.

*   Learn more 

**Puppet Forge**

Find thousands of component modules built by the community and guidance on using them in your own infrastructure.

*   Visit Puppet Forge 

**Ecosystem**

*   Puppet developer experience
*   Trusted contributors
*   GitHub
*   Vox Pupuli

**Open Source Projects**

*   Open source Puppet
*   Bolt
*   All open source projects
*   Compare our enterprise products

**Community**

*   Community
*   Puppet Champions
*   Puppet Test Pilots
*   Community calendar
*   Community Slack
*   Pulling the Strings Podcast
*   Puppet and Perforce Community FAQ

**Contribute**

*   Contribute written content
*   Contribute to open source projects
*   Puppet Idea Portal

**State of DevOps Report**

Since launching our first DevOps survey in 2012, we’ve learned a lot about the power of DevOps to transform organizations.

*   State of DevOps retrospective
*   Scaling DevOps

*   Get the 2021 State of DevOps Report 

**Product Documentation**

*   Puppet Enterprise
*   Continuous Delivery for Puppet Enterprise
*   Puppet Comply
*   Puppet Remediate
*   All documentation

**Resource library**

*   Blog
*   Ebooks
*   Reports
*   Solution briefs
*   Videos
*   Webinars
*   White papers

**Customers**

*   Our customers
*   Customer videos
*   Customer stories

**Partners**

*   Technology partners
*   Channel partners
*   Solution providers
*   Become a partner
*   Partner Portal login

**Featured Partners**

**About Us**

Puppet automates your infrastructure so you can innovate. We find, fix, and predict in order to prevent surprises and maintain your desired state.

**Puppet by Perforce**

*   Mission
*   Leadership
*   Diversity, equity & inclusion
*   Contact us

**Working at Puppet by Perforce**

*   Careers
*   Open positions

**Press & news**

*   Press room
*   Press releases
*   News mentions

**Events**

It's our community that makes Puppet great. Connect with Puppet users and employees.

*   Watch On Demand: Puppetize Digital 2021
*   All events

*   **Posted 2022-07-15**
*   **Assessed Risk Level: Medium**
*   **CVSS 3.1 Base Score: 4.1**

Puppet Bolt prior to version 3.24.0 will print sensitive parameters when planning a run resulting in them potentially being logged when run programmatically, such as via Puppet Enterprise.

*   https://github.com/puppetlabs/bolt/blob/main/CHANGELOG.md#bolt-3240-2022-06-29

**Status:**

**Affected software versions:**

*   Puppet Bolt prior to 3.24.0

**Resolved in:**

*   Puppet Bolt 3.24.0

CVE-2022-2394: CVE-2022-2394 - Puppet Bolt

In Kentico before 13.0.66, attackers can achieve Denial of Service via a crafted request to the GetResource handler.

CVE-2022-32387: Hotfixes

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

We provide the carrot — the chance to win a $25 Amazon gift card — and you provide a possible caption for the cartoon above. It's that simple (and no worries about a stick). Here are four convenient ways to submit your idea:

*   Email _\[email protected\]_ with the subject line "Dark Reading July Toon."
*   Via social media: Twitter, Facebook, and LinkedIn.

The contest ends Wednesday, August 11, 2022. We look forward to your submissions.

**Last Month's Winner**  
We had a record number of submissions for our "Cuter Than a June Bug" caption contest. But, of course, only one person can win, and that person happens to be the very clever Kenny M. Congratulations! A $25 Amazon gift card is on the way.

    

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Name That Toon: Modern-Day Fable

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Tag

#amazon