Unrestricted Upload of File with Dangerous Type in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Hi @nam-no

The Security Team has now assessed the following issue:

SCRMBT-#248 – Huntr.dev: File Upload caused XSS (Import account) in salesagility/suitecrm

This issue has been given an internal severity grading of 'Important'. Due to the severity of this issue we are working to release a fix for it soon.

We would like to suggest a change in the CVSS rating to CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (Medium 5.4), the following are the reasons for the change:

_Attack Vector_

*   Network
*   A victim must access a vulnerable system via the network.

_Attack Complexity_

*   Low

_Privileges Required_

*   Low
*   By default users have access to the import, to revoke access to the import security groups and other configurations need to be changed

_User Interaction_

*   Required
*   This attack takes effect during the import process, which needs to be done by the user himself, not by an attacker in other moments. And users also have control over the imported file, which they manually upload.

_Scope_

*   Changed
*   The vulnerability is exploited on the web server, but the impact is to the user's browser.

_Confidentiality Impact_

*   Low
*   Information which should only be disclosed to the vulnerable site, such as cookies, could be provided by the victim's browser to the attacker.
*   See example: https://www.first.org/cvss/v3.0/examples#DokuWiki-Reflected-Cross-site-Scripting-Attack-CVE-2014-9253

_Integrity Impact_

*   Low
*   Information maintained in the victim's web browser can be modified, but only information associated with the web site running the app.
*   See example: https://www.first.org/cvss/v3.0/examples#DokuWiki-Reflected-Cross-site-Scripting-Attack-CVE-2014-9253

_Availability Impact_

*   None

Regarding the question whether in import Quotes is a duplicate. Yes, it is a duplicate, this report covers any module, we used the same functionality for imports on both modules.

Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Once the issue is resolved on huntr.dev a CVE will be emitted. We will then update the release notes with this CVE.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team

CVE-2023-6127: File Upload caused XSS (Import account) in suitecrm

 Code Injection in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

Hi @nam-no

The Security Team has now assessed the following issue:

SCRMBT-#249 – Huntr.dev: HTML injection in Title in salesagility/suitecrm

This issue has been given a severity grading of 'Moderate'. As such we are planning to schedule the fix to address this issue in to a release in the near future.

We would like to suggest a change in the CVSS rating to CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Medium 4.3), the following are the reasons for the change:

**Attack Vector**

*   Network
*   A victim must access a vulnerable system via the network.

**Attack Complexity**

*   Low

**Privileges Required**

*   Low
*   Requires an authenticated ueer

**User Interaction**

*   None

**Scope**

*   Unchanged
*   The vulnerability is exploited on the browser and the impact is to the user's browser.

**Confidentiality Impact**

*   None
*   Requires an authenticated user. Impacts the dashlet for a single user.

**Integrity Impact**

*   Low

**Availability Impact**

*   None

Once the fix is released, we aim to include your name in the release notes - giving credit for finding and reporting this issue. Please let us know if you would prefer not be included or have a specific request on how you would like to be referenced within the release notes.

Once the issue is resolved on huntr.dev a CVE will be emitted. We will then update the release notes with this CVE.

Thank you for your assistance and contribution to the SuiteCRM product!

Kind regards, SuiteCRM Security Team

CVE-2023-6126: HTML injection in Tittle in suitecrm

**Description**

The application accepts PDF files with JavaScript code embedded which results in JavaScript code injection and execution. This vulnerability allows the adversary to upload PDF files with malicious content and execute them.

**Proof of Concept**

    1. Login as a user
    2. Go to Collaboration > Documents > Create Documents
    3. Upload a malicious PDF file and click save
    4. Go to another user account (could be admin) and view the same file and the payload will get executed
    5. Repeat the same process for another malicious file
    

POC Video

Malicious PDF File 1

Malicious PDF File 2

JavaScript Code of Malicious PDF File 1

JavaScript Code of Malicious PDF File 2

This has been also tested on the demo. Demo POC

**Impact**

This vulnerability leads to JavaScript Code Execution which could make arbitrary changes to the content of the uploaded PDF and much more.

More vulnerabilities could occur according to the information mentioned here: PDF Functions

CVE-2023-6125: JavaScript Code Execution in PDF in suitecrm

Cross-site Scripting (XSS) - Reflected in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2.

CVE-2023-6128

In its plans to implement a White House executive order, CISA aims to strike a balance between promoting AI adoption for national security and defending against its malicious use.

Last month, a 120-page United States executive order laid out the Biden administration's plans to oversee companies that develop artificial intelligence technologies and directives for how the federal government should expand its adoption of AI. At its core, though, the document focused heavily on AI-related security issues—both finding and fixing vulnerabilities in AI products and developing defenses against potential cybersecurity attacks fueled by AI. As with any executive order, the rub is in how a sprawling and abstract document will be turned into concrete action. Today, the US Cybersecurity and Infrastructure Security Agency (CISA) will announce a “Roadmap for Artificial Intelligence” that lays out its plan for implementing the order.

CISA divides its plans to tackle AI cybersecurity and critical infrastructure-related topics into five buckets. Two involve promoting communication, collaboration, and workforce expertise across public and private partnerships, and three are more concretely related to implementing specific components of the EO. CISA is housed within the US Department of Homeland Security (DHS).

“It's important to be able to put this out and to hold ourselves, frankly, accountable both for the broad things that we need to do for our mission, but also what was in the executive order,” CISA director Jen Easterly told WIRED ahead of the road map's release. “AI as software is clearly going to have phenomenal impacts on society, but just as it will make our lives better and easier, it could very well do the same for our adversaries large and small. So our focus is on how we can ensure the safe and secure development and implementation of these systems.”

CISA's plan focuses on using AI responsibly—but also aggressively in US digital defense. Easterly emphasizes that, while the agency is “focused on security over speed” in terms of the development of AI-powered defense capabilities, the fact is that attackers will be harnessing these tools—and in some cases already are—so it is necessary and urgent for the US government to utilize them as well.

With this in mind, CISA's approach to promoting the use of AI in digital defense will center around established ideas that both the public and private sectors can take from traditional cybersecurity. As Easterly puts it, “AI is a form of software, and we can’t treat it as some sort of exotic thing that new rules need to apply to.” AI systems should be “secure by design,” meaning that they've been developed with constraints and security in mind rather than attempting to retroactively add protections to a completed platform as an afterthought. CISA also intends to promote the use of “software bills of materials” and other measures to keep AI systems open to scrutiny and supply chain audits.

“AI manufacturers \[need\] to take accountability for the security outcomes—that is the whole idea of shifting the burden onto those companies that can most bear it,” Easterly says. “Those are the ones that are building and designing these technologies, and it’s about the importance of embracing radical transparency. Ensuring we know what is in this software so we can ensure it is protected.”

Finally, CISA will conduct assessments of the threats US critical infrastructure could face from AI-powered attacks. The agency plans to collaborate across the industrial control and critical infrastructure landscape to make recommendations for how these vital services—which are often built on always-on, legacy technology—can defend against novel threats and safely implement AI-powered protections.

“In last month’s Executive Order, the President called on DHS to promote the adoption of AI safety standards globally and help ensure the safe, secure, and responsible use and development of AI,” Homeland Security secretary Alejandro Mayorkas said in a statement today. "CISA’s roadmap lays out the steps that the agency will take as part of our Department’s broader efforts to both leverage AI and mitigate its risks to our critical infrastructure and cyber defenses.”

In practice, it's a massive and unwieldy set of goals. And some, like plans to hold businesses accountable, hinge largely on voluntary commitments and collaborations. But CISA's “road map” is a gesture toward imbuing its efforts with some amount of transparency and public responsibility at a critical moment.

“Not only are these going to be the most powerful capabilities of our lifetime, they could potentially be the most powerful weapons of our lifetime,” Easterly says. “We need to ensure that we are protecting them and protecting our global citizenry from the malicious use of these capabilities.”

CISA Has a New Road Map for Handling Weaponized AI

Server-Side Request Forgery (SSRF) in GitHub repository salesagility/suitecrm prior to 7.14.2, 8.4.2, 7.12.14.

**Description**

SuiteCRM has an Inbound Email Account Test Connection function which allows the adversary to perform a Server-Side Request Forgery (SSRF) attack. It doesn't verify or validate the provided URL/IP Address, allowing it to leak internal and fetch external service information regardless of the protocol.

**Proof of Concept**

    1. Login as a user > Browse Profile > Inbound Email Accounts > New Personal Inbound Email Account
    2. Enter the target host in the mail server address and the target port
    3. click TEST CONNECTION SETTINGS
    4. Observe the result with response error and timing
    
    

Localhost: POC and Payload

Internal Network: POC and Payload

External Network: POC and Payload

It also has been validated in the demo. Demo POC

**Impact**

It allows the adversary to perform reconnaissance and scanning of localhost, internal network host, and external host services without any restriction in the request, which could result in the following;

1.  Local/Remote/External Port Scan
2.  Interact with internal apps/services/network
3.  Remote Code Execution by chaining services on the internal network
4.  Server can be used as a proxy to attack other networks

CVE-2023-6124: Server-Side Request Forgery (SSRF) in suitecrm

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/task/changeStatus.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-48020: dreamer_cms/Enable CSRF for Task Management Office.md at main · moonsabc123/dreamer_cms

We've seen a particular card skimming campaign really pick up pace lately. With hundreds of stores compromised, you may come across it if you shop online this holiday season.

As we head into shopping season, customers aren’t the only ones getting excited. More online shopping means more opportunities for cybercriminals to grab their share using scams and data theft.

One particular threat we’re following closely and expect to increase over the next several weeks is credit card skimming. Online stores are not always as secure as you might think they are, and yet you need to hand over your valuable credit card information in order to buy anything.

When a merchant website is hacked, any purchase made has the potential of being intercepted by bad actors. Often, the malicious code is right underneath the surface and yet completely invisible to shoppers.

One particular skimming campaign we have been following picked up the pace drastically in October after a lull during the summer. With hundreds of stores compromised, you may come across it if you shop online on a regular basis.

**The Kritec campaign**

We first discovered this credit card skimming operation back in March 2023, as it stood out from the rest due to its large volume. The threat actors were also taking the time to customize their skimmer for each victim site with very convincing templates that were even localized in several languages.

The experience was so smooth and seamless that it made it practically impossible for online shoppers to even realize that their credit card information had just been stolen.

**Threat actors ramp up their activity just in time for the holiday season**

In April this skimming campaign reached a peak and then slowed down during the summer. However it came back, increasing to its highest volume in October. We measured this activity based on the number of newly registered domain names attributed to this threat actor.

The infrastructure is located on the IT WEB LTD network (ASN200313) registered in the British Virgin Islands.

**How to shop safely online**

If you are shopping online, and especially via smaller merchants (i.e. not Amazon, Walmart, etc), you absolutely need to be extra careful. Unless you are able to perform a full website audit yourself, you simply can’t be sure that the platform hasn’t been compromised.

Having said that, if the website looks like it hasn’t been maintained in a while (for example it is displaying outdated information, such as ”Copyright 2018′) you probably should stay away from it. Most compromises happen because a website’s content management system (CMS) and its plugins are outdated and vulnerable.

There are tools that can also detect malicious code embedded into websites. Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses. But because threat actors are constantly swapping their infrastructure, it is also a good idea to have some kind of heuristic detection for things like malicious JavaScript snippets.

Malwarebytes Premium offers web protection and is complemented by the Malwarebytes Browser Guard extension for more advanced in-browser detection.

We are also publishing a list of the infrastructure that includes domains we had previously not seen but obtained via retrohunting, so that those can be included in community blocklists ingested by third-party products.

**Indicators of Compromise**

**Kritec domains**

oumymob\[.\]shop  
nujtec\[.\]shop  
lavutele\[.\]yachts  
tochdigital\[.\]pics  
gemdigit\[.\]pics  
vuroselec\[.\]quest  
bereelec\[.\]quest  
psyhomob\[.\]sbs  
antohub\[.\]shop  
kritec\[.\]pics  
daichetmob\[.\]sbs  
smestech\[.\]shop  
interytec\[.\]shop  
ribtech\[.\]shop  
podobadigit\[.\]quest  
yaknatec\[.\]pics  
stacstocuh\[.\]quest  
keistodigit\[.\]pics  
shumtech\[.\]shop  
metsimob\[.\]yachts  
hovarelec\[.\]shop  
vdoxdigit\[.\]pics  
vushtech\[.\]sbs  
tekeiteh\[.\]quest  
tastmob\[.\]yachts  
krasoticmob\[.\]space  
pyatiticdigt\[.\]shop  
frikctictempo\[.\]fun  
secreelec\[.\]shop  
yelyotech\[.\]pics  
statemob\[.\]yachts  
sviisdigit\[.\]quest  
garnimob\[.\]sbs  
povomob\[.\]shop  
dvojnatech\[.\]sbs  
petlelec\[.\]quest  
helotec\[.\]pics  
xiloditg\[.\]yachts  
paunit\[.\]pics  
rithdigit\[.\]cyou  
dayspiselec\[.\]quest  
uznatec\[.\]shop  
nespomob\[.\]sbs  
nebiltech\[.\]shop  
bufelec\[.\]yachts  
ledeehub\[.\]shop  
greentechify\[.\]digital  
ecosustain\[.\]digital  
innovate360\[.\]digital  
wellbeingtech\[.\]digital  
inspireworks\[.\]digital  
avtomob\[.\]sbs  
otkridigit\[.\]quest  
balacdigit\[.\]pics  
schetdigit\[.\]pics  
bantec\[.\]pics  
jantech\[.\]quest  
shotsmob\[.\]sbs  
podbotec\[.\]sbs  
shokomob\[.\]sbs  
resuelec\[.\]yachts  
xorotelec\[.\]quest  
rozkatech\[.\]yachts  
nasnamob\[.\]quest  
ensdigit\[.\]quest  
genlytec\[.\]us  
onitzech\[.\]sbs  
odintech\[.\]sbs  
rebomob\[.\]quest  
flattec\[.\]sbs  
noanotech\[.\]sbs  
fadyit\[.\]pics  
lielecef\[.\]cyou  
inlinedigital\[.\]pics  
fantodelt\[.\]sbs  
volosmob\[.\]pics  
zahidelt\[.\]sbs  
dychtech\[.\]shop  
samopotele\[.\]yachts  
stimob\[.\]pics  
jestmob\[.\]pics  
weitmob\[.\]shop  
poidelt\[.\]sbs  
perstech\[.\]shop  
telehub\[.\]shop  
projectmob\[.\]sbs  
imhoelec\[.\]yachts  
plactech\[.\]quest  
sakwohub\[.\]shop  
volonmob\[.\]sbs  
lehelec\[.\]yachts  
tochelec\[.\]quest  
prijetech\[.\]shop  
supermob\[.\]network  
eluntec\[.\]info  
chutech\[.\]works  
stonworks\[.\]vip  
hapermob\[.\]shop  
seletech\[.\]markets  
calcdigit\[.\]pics  
shellmob\[.\]fun  
valetec\[.\]pw  
votedigit\[.\]shop  
encit\[.\]yachts  
defimob\[.\]bar  
goponl\[.\]online  
yukmob\[.\]store  
tuchtoch\[.\]shop

sasaiso\[.\]cfd  
aifanul\[.\]yachts  
soplelec\[.\]pics  
wudutec\[.\]shop  
vonderdigit\[.\]quest  
mutelec\[.\]quest  
gemstec\[.\]yachts  
genertech\[.\]pw  
genstech\[.\]shop  
effecttec\[.\]shop  
bespitech\[.\]sbs  
otpusmob\[.\]shop  
yedelec\[.\]sbs  
chokdigit\[.\]pics  
poptec\[.\]sbs  
aurelec\[.\]shop  
stramdigital\[.\]yachts  
sotkelec\[.\]yachts  
funkomob\[.\]sbs  
beatmob\[.\]pics  
osobtech\[.\]yachts  
kruktech\[.\]shop  
volosmob\[.\]sbs  
provtec\[.\]shop  
dvanatech\[.\]yachts  
druzit\[.\]quest  
yololive\[.\]sbs  
bachitech\[.\]pics  
kamitac\[.\]shop  
karadigit\[.\]quest  
gachit\[.\]yachts  
yalomob\[.\]pics  
druzit\[.\]quest  
mopedigit\[.\]shop  
macsetech\[.\]online  
strajit\[.\]yachts  
istoretc\[.\]shop  
trepmob\[.\]sbs  
animtech\[.\]quest  
chekeelec\[.\]quest  
kinotec\[.\]pics  
zamlmob\[.\]pics  
leritgo\[.\]sbs  
autotec\[.\]shop  
helinit\[.\]yachts  
shpitech\[.\]quest  
seletmob\[.\]online  
hhfnsfsga\[.\]sbs  
dvanatech\[.\]yachts  
lemodigit\[.\]online  
ttewe\[.\]quest  
efromob\[.\]site  
selentech\[.\]click  
centridig\[.\]store  
timetok\[.\]online  
musatech\[.\]quest  
digitstel\[.\]site  
sintec\[.\]store  
eleconuch\[.\]click  
deletouch\[.\]shop  
topostock\[.\]shop  
dujetech\[.\]yachts  
fletmob\[.\]sbs  
semebit\[.\]online  
kontec\[.\]quest  
moldmob\[.\]site  
lemtok\[.\]store  
domelec\[.\]shop  
hemidigit\[.\]click  
teletoch\[.\]pics  
temtoch\[.\]site  
intescon\[.\]store  
genimmob\[.\]online  
teledomn\[.\]quest  
stemtec\[.\]click  
gemofab\[.\]store  
tenastoc\[.\]click  
kiligob\[.\]site  
pelstec\[.\]online  
vetitec\[.\]quest  
denlog\[.\]shop  
lemnidig\[.\]shop  
fasfad\[.\]site  
lishetoc\[.\]shop  
ruepliz\[.\]click  
stiornec\[.\]store  
daisnetech\[.\]site  
yavipustec\[.\]online  
bednedigit\[.\]quest  
sipletoc\[.\]site  
olinmasot\[.\]click  
verecey\[.\]quest  
oleketec\[.\]store  
etibuz\[.\]shop  
comepetec\[.\]click  
stiildig\[.\]store  
hemogom\[.\]online  
dzelonline\[.\]shop  
tuctec\[.\]site  
obogtec\[.\]quest  
moboed\[.\]icu  
shonowor\[.\]site  
idopos\[.\]shop  
mylase\[.\]click  
henove\[.\]store  
frodetraho\[.\]click  
tromtustec\[.\]quest  
bulkmob\[.\]store

tisimy\[.\]quest  
depeyo\[.\]online  
livepolitical\[.\]sbs  
shareeffectiv\[.\]yachts  
basewhit\[.\]quest  
deliverclos\[.\]online  
changeyellow\[.\]cfd  
writefederal\[.\]click  
dowonderful\[.\]store  
deliverclos\[.\]sbs  
stopfurther\[.\]sbs  
usespecial\[.\]quest  
startculturl\[.\]site  
followmilitry\[.\]cfd  
intesres\[.\]quest  
androton\[.\]online  
begistic\[.\]site  
heptombo\[.\]store  
felestech\[.\]click  
gelimog\[.\]online  
hasekytop\[.\]click  
dekrenof\[.\]quest  
gerelec\[.\]site  
beresor\[.\]store  
lenosmac\[.\]shop  
hustiontec\[.\]store  
teletouch\[.\]click  
pilozol\[.\]quest  
belmrs\[.\]click  
jetomob\[.\]shop  
gelenhan\[.\]online  
lokotec\[.\]quest  
plasmob\[.\]pics  
shumocom\[.\]site  
biposou\[.\]online  
golyter\[.\]shop  
cuvanil\[.\]quest  
trevago\[.\]site  
domog\[.\]shop  
sgolen\[.\]store  
vjevec\[.\]quest  
spilotich\[.\]online  
babtek\[.\]click  
vozvrec\[.\]store  
irlatok\[.\]shop  
vkiten\[.\]click  
golyadik\[.\]site  
oklasdon\[.\]online  
mihayam\[.\]shop  
cutele\[.\]shop  
hoohotic\[.\]click  
pubupu\[.\]quest  
genodigit\[.\]store  
djutech\[.\]online  
voouvdigit\[.\]site  
zizitok\[.\]shop  
ulyatec\[.\]quest  
tuchtok\[.\]site  
justlice\[.\]store  
enisemol\[.\]click  
tululudoc\[.\]online  
nogtech\[.\]site  
mageants\[.\]sbs  
deshvoc\[.\]store  
shumtech\[.\]shop  
metsimob\[.\]yachts  
bolotoc\[.\]store  
nepochtec\[.\]shop  
bibstele\[.\]online  
nechuvelec\[.\]click  
gastdigit\[.\]quest  
arastek\[.\]online  
galeglob\[.\]quest  
boroshtic\[.\]click  
prodovjtec\[.\]shop  
denetok\[.\]site  
kalomob\[.\]store  
avordic\[.\]site  
chasoc\[.\]quest  
jujoc\[.\]online  
helostop\[.\]shop  
zlakovos\[.\]click  
obomob\[.\]site  
miskotec\[.\]store  
shakorot\[.\]site  
nemojmob\[.\]online  
najitel\[.\]quest  
ragutech\[.\]shop  
pershtec\[.\]click  
nadoelec\[.\]space  
odnydigit\[.\]quest  
yamatel\[.\]store  
jezesec\[.\]quest  
samknut\[.\]click  
imperel\[.\]site  
pricetool\[.\]store  
donashhack\[.\]online  
chelotec\[.\]quest  
stelor\[.\]shop  
udamos\[.\]online  
kurkumin\[.\]click  
vedldeno\[.\]store  
oifilon\[.\]site  
igusfil\[.\]shop  
cosmafit\[.\]click  
tanuatech\[.\]quest  
ifilone\[.\]site  
sourite\[.\]online  
becasotec\[.\]site

**Kritec IPs**

195\[.\]242\[.\]110\[.\]102  
195\[.\]242\[.\]110\[.\]103  
195\[.\]242\[.\]110\[.\]112  
195\[.\]242\[.\]110\[.\]130  
195\[.\]242\[.\]110\[.\]131  
195\[.\]242\[.\]110\[.\]134  
195\[.\]242\[.\]110\[.\]135  
195\[.\]242\[.\]110\[.\]136  
195\[.\]242\[.\]110\[.\]137  
195\[.\]242\[.\]110\[.\]139  
195\[.\]242\[.\]110\[.\]143  
195\[.\]242\[.\]110\[.\]158  
195\[.\]242\[.\]110\[.\]162  
195\[.\]242\[.\]110\[.\]166  
195\[.\]242\[.\]110\[.\]168  
195\[.\]242\[.\]110\[.\]171  
195\[.\]242\[.\]110\[.\]172  
195\[.\]242\[.\]110\[.\]174  
195\[.\]242\[.\]110\[.\]179  
195\[.\]242\[.\]110\[.\]181  
195\[.\]242\[.\]110\[.\]182  
195\[.\]242\[.\]110\[.\]185  
195\[.\]242\[.\]110\[.\]186  
195\[.\]242\[.\]110\[.\]187  
195\[.\]242\[.\]110\[.\]188  
195\[.\]242\[.\]110\[.\]189  
195\[.\]242\[.\]110\[.\]190  
195\[.\]242\[.\]110\[.\]191  
195\[.\]242\[.\]110\[.\]196  
195\[.\]242\[.\]110\[.\]197  
195\[.\]242\[.\]110\[.\]205  
195\[.\]242\[.\]110\[.\]206  
195\[.\]242\[.\]110\[.\]231  
195\[.\]242\[.\]110\[.\]232  
195\[.\]242\[.\]110\[.\]235  
195\[.\]242\[.\]110\[.\]237  
195\[.\]242\[.\]110\[.\]24  
195\[.\]242\[.\]110\[.\]242  
195\[.\]242\[.\]110\[.\]25  
195\[.\]242\[.\]110\[.\]250  
195\[.\]242\[.\]110\[.\]251  
195\[.\]242\[.\]110\[.\]28  
195\[.\]242\[.\]110\[.\]3  
195\[.\]242\[.\]110\[.\]30  
195\[.\]242\[.\]110\[.\]32  
195\[.\]242\[.\]110\[.\]33  
195\[.\]242\[.\]110\[.\]34  
195\[.\]242\[.\]110\[.\]37  
195\[.\]242\[.\]110\[.\]40  
195\[.\]242\[.\]110\[.\]41  
195\[.\]242\[.\]110\[.\]46  
195\[.\]242\[.\]110\[.\]58  
195\[.\]242\[.\]110\[.\]59

195\[.\]242\[.\]110\[.\]60  
195\[.\]242\[.\]110\[.\]72  
195\[.\]242\[.\]110\[.\]73  
195\[.\]242\[.\]110\[.\]77  
195\[.\]242\[.\]110\[.\]79  
195\[.\]242\[.\]110\[.\]80  
195\[.\]242\[.\]110\[.\]83  
195\[.\]242\[.\]110\[.\]84  
195\[.\]242\[.\]110\[.\]87  
195\[.\]242\[.\]110\[.\]95  
195\[.\]242\[.\]110\[.\]99  
195\[.\]242\[.\]111\[.\]102  
195\[.\]242\[.\]111\[.\]11  
195\[.\]242\[.\]111\[.\]117  
195\[.\]242\[.\]111\[.\]12  
195\[.\]242\[.\]111\[.\]120  
195\[.\]242\[.\]111\[.\]147  
195\[.\]242\[.\]111\[.\]148  
195\[.\]242\[.\]111\[.\]152  
195\[.\]242\[.\]111\[.\]214  
195\[.\]242\[.\]111\[.\]215  
195\[.\]242\[.\]111\[.\]217  
195\[.\]242\[.\]111\[.\]224  
195\[.\]242\[.\]111\[.\]25  
195\[.\]242\[.\]111\[.\]29  
195\[.\]242\[.\]111\[.\]36  
195\[.\]242\[.\]111\[.\]37  
195\[.\]242\[.\]111\[.\]38  
195\[.\]242\[.\]111\[.\]40  
195\[.\]242\[.\]111\[.\]42  
195\[.\]242\[.\]111\[.\]44  
195\[.\]242\[.\]111\[.\]49  
195\[.\]242\[.\]111\[.\]50  
195\[.\]242\[.\]111\[.\]53  
195\[.\]242\[.\]111\[.\]56  
195\[.\]242\[.\]111\[.\]57  
195\[.\]242\[.\]111\[.\]58  
195\[.\]242\[.\]111\[.\]59  
195\[.\]242\[.\]111\[.\]6  
195\[.\]242\[.\]111\[.\]7  
195\[.\]242\[.\]111\[.\]76  
195\[.\]242\[.\]111\[.\]77  
195\[.\]242\[.\]111\[.\]84  
195\[.\]242\[.\]111\[.\]85  
195\[.\]242\[.\]111\[.\]86  
195\[.\]242\[.\]111\[.\]87  
195\[.\]242\[.\]111\[.\]94  
195\[.\]242\[.\]111\[.\]95  
195\[.\]242\[.\]111\[.\]96  
45\[.\]88\[.\]3\[.\]114  
45\[.\]88\[.\]3\[.\]12  
45\[.\]88\[.\]3\[.\]122  

45\[.\]88\[.\]3\[.\]123  
45\[.\]88\[.\]3\[.\]134  
45\[.\]88\[.\]3\[.\]138  
45\[.\]88\[.\]3\[.\]139  
45\[.\]88\[.\]3\[.\]141  
45\[.\]88\[.\]3\[.\]142  
45\[.\]88\[.\]3\[.\]144  
45\[.\]88\[.\]3\[.\]145  
45\[.\]88\[.\]3\[.\]146  
45\[.\]88\[.\]3\[.\]148  
45\[.\]88\[.\]3\[.\]149  
45\[.\]88\[.\]3\[.\]154  
45\[.\]88\[.\]3\[.\]167  
45\[.\]88\[.\]3\[.\]170  
45\[.\]88\[.\]3\[.\]201  
45\[.\]88\[.\]3\[.\]21  
45\[.\]88\[.\]3\[.\]213  
45\[.\]88\[.\]3\[.\]218  
45\[.\]88\[.\]3\[.\]219  
45\[.\]88\[.\]3\[.\]225  
45\[.\]88\[.\]3\[.\]227  
45\[.\]88\[.\]3\[.\]23  
45\[.\]88\[.\]3\[.\]235  
45\[.\]88\[.\]3\[.\]237  
45\[.\]88\[.\]3\[.\]238  
45\[.\]88\[.\]3\[.\]239  
45\[.\]88\[.\]3\[.\]240  
45\[.\]88\[.\]3\[.\]244  
45\[.\]88\[.\]3\[.\]245  
45\[.\]88\[.\]3\[.\]248  
45\[.\]88\[.\]3\[.\]25  
45\[.\]88\[.\]3\[.\]251  
45\[.\]88\[.\]3\[.\]253  
45\[.\]88\[.\]3\[.\]34  
45\[.\]88\[.\]3\[.\]35  
45\[.\]88\[.\]3\[.\]40  
45\[.\]88\[.\]3\[.\]49  
45\[.\]88\[.\]3\[.\]52  
45\[.\]88\[.\]3\[.\]60  
45\[.\]88\[.\]3\[.\]61  
45\[.\]88\[.\]3\[.\]63  
45\[.\]88\[.\]3\[.\]70  
45\[.\]88\[.\]3\[.\]78  
45\[.\]88\[.\]3\[.\]79  
45\[.\]88\[.\]3\[.\]81  
45\[.\]88\[.\]3\[.\]82  
45\[.\]88\[.\]3\[.\]83  
45\[.\]88\[.\]3\[.\]85  
45\[.\]88\[.\]3\[.\]95  
45\[.\]88\[.\]3\[.\]98

 Credit card skimming on the rise for the holiday shopping season 

In 2023, the global average cost of a data breach reached $4.45 million. Beyond the immediate financial loss, there are long-term consequences like diminished customer trust, weakened brand value, and derailed business operations.
In a world where the frequency and cost of data breaches are skyrocketing, organizations are coming face-to-face with a harsh reality: traditional cybersecurity

Pen Testing / Vulnerability Management

In 2023, the global average cost of a data breach reached $4.45 million. Beyond the immediate financial loss, there are long-term consequences like diminished customer trust, weakened brand value, and derailed business operations.

In a world where the frequency and cost of data breaches are skyrocketing, organizations are coming face-to-face with a harsh reality: traditional cybersecurity measures might not be cutting it anymore.

Against this backdrop, businesses must find ways to strengthen their measures to safeguard precious data and critical assets. At the heart of this shift lies a key strategy: continuous monitoring.

**Understanding Continuous Security Monitoring in Cybersecurity**

Continuous monitoring is a dynamic approach that encompasses several techniques to fulfil a multi-layered defense strategy. These techniques can include:

*   **Risk-Based Vulnerability Management (RBVM):**Continuous vulnerability assessments across your network with remediation prioritization based on the highest risks posed.
*   **External Attack Surface Management** **(EASM)**: Ongoing discovery, monitoring, and analysis of your external exposure, including domains, websites, hosts, services, etc.
*   **Cyber Threat Intelligence:**Actionable and centralized threat information to help you keep-up with adversaries and manage digital risk.

Unlike point-in-time assessments, which are analogous to taking a photo of your security posture, continuous monitoring is like a 24/7 live stream. It proactively scouts for vulnerabilities, irregularities, misconfigurations, and potential threats, ensuring swift detection and response.

**Continuous Security Monitoring for Web Applications**

Protecting business applications should be a central component of any effective cybersecurity strategy. Not only are they a tempting target for cybercriminals, but they are also increasingly difficult to protect. According to a recent report, based on analysis of 3.5 million business assets, the vast majority (74%) of internet-exposed web apps containing personal identifiable information (PII) are vulnerable to a cyberattack.

When it comes to protecting their web application, organizations often grapple with a critical choice: a pen testing as a service (PTaaS) solution or the standard (periodic or ad-hoc) pen test. The choice boils down to your organization's specific needs. Both tools have their merits; it's about aligning the tool with the task at hand, ensuring you're always ahead in the cybersecurity game.

**The Benefits of PTaaS**

*   In environments where apps are crucial or handle sensitive data a PTaaS solution and its continuous monitoring is a non-negotiable. It offers ongoing protection against evolving vulnerabilities.
*   On the budget front, PTaaS offers a predictable cost model, making it a cost-effective route to high-level security expertise.
*   For organizations limited in security manpower, PTaaS fills the gap, providing robust support and direct access to security experts.

**The Benefits of the Standard Pen Testing**

*   For newer or smaller web apps, occasional checks might be enough, which is where the standard pen test steps in.
*   Have a one-time need, like a specific security verification? standard pen testing is your best bet. It's also more suited for tasks centered on non-web assets, like network infrastructure.
*   If you're strictly looking to validate known vulnerabilities, standard pen testing offers a focused, cost-effective solution.

**The Broader Landscape of Continuous Monitoring**

Outpost24 identifies security gaps across your entire attack surface and helps you prioritize vulnerabilities to optimize your cybersecurity posture and reduce exposure.

*   Outscan NX (RBVM): Vulnerability management with real-world threat intelligence to focus remediation and reduce business risk.
*   SWAT (PTaaS): Manual testing and automated scanning with access to security experts for your agile development cycles.
*   Sweepatic (EASM): Attack surface discovery and monitoring in real-time with actionable insights.
*   Threat Compass (Cyber Threat Intelligence): Targeted and actionable intelligence for faster threat detection and incident response.

The digital age demands a rethink of our cybersecurity paradigms. The rising costs and risks associated with data breaches make it clear: continuous security monitoring isn't just an option, it's a necessity. With the above solutions, Outpost24 offers a robust toolkit to navigate this new cybersecurity landscape.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

The Importance of Continuous Security Monitoring for a Robust Cybersecurity Strategy

Have you heard about Dependabot? If not, just ask any developer around you, and they'll likely rave about how it has revolutionized the tedious task of checking and updating outdated dependencies in software projects. 
Dependabot not only takes care of the checks for you, but also provides suggestions for modifications that can be approved with just a single click. Although Dependabot is limited

Have you heard about Dependabot? If not, just ask any developer around you, and they'll likely rave about how it has revolutionized the tedious task of checking and updating outdated dependencies in software projects.

Dependabot not only takes care of the checks for you, but also provides suggestions for modifications that can be approved with just a single click. Although Dependabot is limited to GitHub-hosted projects, it has set a new standard for continuous providers to offer similar capabilities. This automation of "administrative" tasks has become a norm, enabling developers to integrate and deploy their work faster than ever before. Continuous integration and deployment workflows have become the cornerstone of software engineering, propelling the DevOps movement to the forefront of the industry.

But a recent advisory by security firm Checkmarx sheds light on a concerning incident. Malicious actors have recently attempted to exploit the trust associated with Dependabot by impersonating the tool. By mimicking the suggestions made by Dependabot (in the form of pull requests), these actors tried to deceive developers into accepting changes without giving them a second thought.

While Dependabot exemplifies the advancements in automating software maintenance tasks, this incident also underscores the broader complexities and vulnerabilities inherent in CI/CD pipelines. These pipelines serve as vital conduits, linking the external world of software development tools and platforms with the internal processes of software creation and deployment. Understanding this connection is key to addressing the security challenges we face.

**CI/CD Pipelines: Connecting the Outside World with the Internal One**

Continuous integration (CI) and deployment (CD) workflows have revolutionized the software development process, providing developers with the ability to seamlessly merge their work and deploy it to the production environment. These workflows ensure that the code undergoes automated security scans, rigorous testing, and adherence to coding standards, resulting in a more efficient and reliable development process. They have become a catalyst for innovation, enabling teams to focus on building and enhancing their products with the assurance of quality and security.

To illustrate the concept, imagine building a puzzle. CI acts as a vigilant checker, verifying that each new puzzle piece fits correctly before moving forward. On the other hand, CD takes this a step further by automatically placing each verified piece into the final puzzle, eliminating the need to wait for the entire puzzle to be completed. This accelerated process allows for faster feature delivery and ultimately expedites the overall product development timeline.

However, these CI/CD workflows also connect the outside world with the internal development environment, creating potential risks. For instance, consider a scenario where a developer integrates a third-party library into their project through a CI/CD pipeline. If the developer fails to thoroughly vet the library or if the pipeline lacks proper security checks, malicious code could be unknowingly incorporated into the project, compromising its integrity. In recent years, there has been a rise in attacks such as typosquatting and dependency confusion, which aim to exploit the reliance on open source software for financial gain.

The rise of automated integrations workflows have changed the economics for attackers by lowering the cost and increasing the potential gains of an attack. Attackers can target popular central package repositories like PyPi, which hosts thousands of packages and serves millions of downloads daily. The sheer scale of operations makes it economically viable for attackers to try their luck, even with a small chance of success.

Another example is the use of external APIs within CI/CD pipelines. Developers often need to provide valid credentials for these APIs to enable automated deployment or integration with external services. However, if these credentials are not securely managed or if they are inadvertently exposed in logs or artifacts, they can be exploited by attackers to gain unauthorized access to sensitive resources or manipulate the pipeline's behavior.

CI/CD breaches frequently stem from either an initial compromise of secrets or developers becoming targets of specific attacks. However, rather than blaming developers for these breaches, it is crucial to recognize that the issue lies in the inherent lack of security in these pipelines. This highlights a larger problem: CI/CD pipelines are far from being secure by default.

**The Problem: CI/CD Pipelines Are Far from Secure by Default**

Although the idea of implementing secure-by-design workflows is becoming more popular, CI/CD platforms still have a significant way to go. Platforms like GitHub Actions, GitLab CI/CD, and CircleCI, which were initially designed with flexibility in mind, often prioritize ease of use over robust security measures. As a result, there is a lack of default safeguards to prevent potential issues from arising.

A glaring example of this is how easy it is for a developer to expose sensitive information like secrets. Developers commonly inject secrets at runtime and rely for that on the capability to store secrets in the CI provider itself. While this practice isn't a problem by itself, it raises at least two security concerns: first, the CI provider hosting the secrets becomes a vault of sensitive information and an attractive target for attackers. As recently as early 2023, CircleCI suffered a breach of its systems which forced users to rotate "any and all" their secrets following a breach of the company's systems.

Second, secrets can often leak and go unnoticed through CI/CD pipelines themselves. For example, if a secret is concatenated with another string (say, a URL) and then logged, the CI redacting mechanism will not work. Same goes with encoded secrets. The consequence is that CI logs often expose plaintext secrets. Similarly, it is not uncommon at all to find secrets hard-coded in software artifacts, being the result of a misconfigured continuous integration workflow.

CI/CD providers have already taken steps to enhance security, like GitHub Dependabot security checks. But most of the time, permissive defaults and complex permission models are still the rule. To protect CI/CD pipelines and prevent code compromise, developers should take additional measures to harden their pipelines against attacks. One crucial aspect is ensuring the protection of developers' credentials. Another one is to take a proactive approach to security with alert triggers.

**Safeguarding CI/CD and the Software Supply Chain**

To effectively secure CI/CD pipelines, it's crucial to view them as high-priority, potentially externally connected environments. The key is a mix of best practices:

*   **Restrict Access and Minimize Privileges**: Grant access based on necessity, not convenience. Extensive access to all DevOps team members increases the risk of a compromised account providing attackers with extensive system access. Limit access to critical controls, configurations, or sensitive data.

*   **Enforce Multi-Factor Authentication (MFA)**: Crucially, always use multi-factor authentication (MFA) for logging into the CI/CD platform. MFA adds an essential layer of security, making it significantly harder for unauthorized users to gain access even if they have compromised credentials.

*   **Utilize OpenID Connect (OIDC)**: Employ OIDC for securely connecting workloads to external systems, such as for deployment. This protocol provides a robust framework for authentication and cross-domain identity verification, which is critical in a distributed and interconnected environment.

*   **Use Pre-Reviewed Software Dependencies**: It's important to provide developers with safe, pre-reviewed software dependencies. This practice safeguards the supply chain's integrity and spares developers from having to verify each package's code. This ensures supply chain integrity, relieving developers from the burden of individually verifying each package's code.

*   **Secure Runtime Secrets**: Safely storing secrets like API keys and credentials in the CI/CD platform requires strong security measures, such as enforced MFA and role-based access controls (RBAC). However, these are not foolproof. Secrets are leaky by nature, and additional layers of security, like rigorous credential hygiene and vigilant monitoring of internal and external threats, are necessary for comprehensive protection.

*   **Implement Advanced Defense Systems**: Incorporate alert systems into your security framework. While honeypots are effective but challenging to scale, honeytokens offer a scalable, easy-to-implement alternative. These tokens, requiring minimal setup, can significantly enhance security for companies of all sizes across various platforms like SCM systems, CI/CD pipelines, and software artifact registries.

*   **Leverage Enterprise-Scale Solutions**: Solutions like the GitGuardian Platform offer a single pane of glass to monitor incidents such as leaked secrets, Infrastructure as Code misconfigurations and honeytoken triggers, allowing organizations to detect, remediate and prevent CI/CD incidents on a large scale. This significantly mitigates the impact of potential data breaches.

By combining these strategies, organizations can comprehensively safeguard their CI/CD pipelines and software supply chain, adapting to evolving threats and maintaining robust security protocols. Get started securing your pipelines today with the GitGuardian Platform.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#git