The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes (color). This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This record contains material that is subject to copyright.

**Copyright 2012-2023 Defiant Inc.**

**License:** Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. **Read more.**

**Copyright 1999-2023 The MITRE Corporation**

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

CVE-2023-5817: Neon text <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting — Wordfence Intelligence

When organizations start incorporating cybersecurity regulations and cyber incident reporting requirements into their security protocols, it's essential for them to establish comprehensive plans for preparation, mitigation, and response to potential threats.
At the heart of your business lies your operational technology and critical systems. This places them at the forefront of cybercriminal

_When organizations start incorporating cybersecurity regulations and cyber incident reporting requirements into their security protocols, it's essential for them to establish comprehensive plans for preparation, mitigation, and response to potential threats._

At the heart of your business lies your operational technology and critical systems. This places them at the forefront of cybercriminal interest, as they seek to exploit vulnerabilities, compromise your data, and demand ransoms. In today's landscape, characterized by the ever-present risk of ransomware attacks and the challenges posed by fragmented security solutions, safeguarding your organization is paramount. This is where **The National Institute of Standards and Technology (NIST) advocates** for the development of resilient, reliable security systems capable of foreseeing, enduring, and rebounding from cyberattacks.

In this guide, we'll explore strategies to fortify your defenses against cyber threats and ensure uninterrupted operations. Fidelis Security, **a pioneer in proactive cybersecurity**, is here to stand with you on this journey.

****Prepare********1\. Compliance and Regulatory Compliance:****

Compliance is especially critical in regulated industries, where adhering to industry-specific and government regulations is non-negotiable. Fidelis Security's Compliance Management solutions provide controls and monitoring capabilities to ensure that their organizations remain compliant, even in the face of evolving regulatory requirements.

In a world of ever-evolving regulations, maintaining compliance can be a daunting task. Fidelis Security simplifies this challenge by providing comprehensive Compliance Management solutions. These solutions offer the controls and monitoring capabilities necessary to ensure that organizations adhere to industry-specific and government regulations. By maintaining compliance, they not only avoid potential penalties but also bolster their overall cybersecurity posture.

Fidelis Security's patented deep session inspect (DSI) and real-time traffic analysis enable analysts to find information on the network that is controlled by regulatory compliances statutes, such as PCI, HIPAA, FISMA, GLBA and FERPA, in addition to PII, intellectual property, finance-related, and confidential or secret information. By using pre-built data leakage protection (DLP) or custom-built policy, analysts can match these classes of content in addition to any content they deem sensitive. Prevention can be enabled on the network to stop exfiltration as the transfer occurs, which may have originated from a malicious actor or possibly an insider threat.

****2\. Continuous Monitoring and Threat Detection:****

Continuous monitoring and **real-time threat detection** are essential components of a proactive cybersecurity strategy. Fidelis Security's Network Detection and Response (NDR) solutions offer continuous monitoring and advanced threat detection capabilities, helping organizations identify and respond to threats in real-time.

In the face of constantly evolving cyber threats, the ability to monitor networks and detect threats in real-time is invaluable. Fidelis Security's Network Detection and Response (NDR) solutions are designed to provide continuous monitoring of networks and endpoints. These solutions leverage advanced threat detection capabilities to identify and respond to potential threats before they escalate. With Fidelis NDR, organizations gain the upper hand in the ongoing battle against cyberattacks.

Fidelis NDR employs many features over the entire platform to accomplish real-time detection and response. Deep Session Inspection (DSI) and decoding, Deep Packet Inspection (DPI), Antivirus detection (AV), and DNS protocol anomaly detections, on network and mail sensors, provide a multi-faceted approach to network-based detection. Event and sequence-based detections, as well as anomaly detections, are accomplished using the Fidelis Collector, a real-time database of all decoded session and object metadata that is collected as it traverses the network. In addition, Fidelis Endpoint detects malicious objects, traffic flows, and behaviors on endpoints with an agent installed.

Fidelis Deception empowers you to create deception layers that are aligned with your actual network infrastructure. These layers are designed to identify and track malware and intruders as they attempt to move stealthily within your network. By strategically placing decoys and breadcrumbs, this solution aids in enhancing your network's security posture. This approach enables you to achieve heightened visibility and safeguard your assets, even in areas where conventional security agents cannot be deployed—such as in enterprise IoT, Shadow IT, and legacy systems. As a result, you can proactively pinpoint and neutralize threats within your network, preventing potential harm to your organization.

Finally, the Fidelis Threat Research Team provides timely intelligence in the form of detection policy and threat intelligence feeds to each of these platforms to catch bad actors during the threat lifecycle and not after the fact. Any detections are presented to analysts in the Fidelis CommandPost so that they may initiate a rapid response.

****Mitigate********3\. Vulnerability Management:****

Vulnerability management plays a critical role in reducing security risks. It involves identifying and addressing weaknesses in IT infrastructure. Fidelis Security's Vulnerability Management solutions offer a robust approach to identifying and prioritizing vulnerabilities effectively, helping organizations fortify their defenses.

Vulnerabilities in IT infrastructure can provide cybercriminals with entry points into systems. To counter this threat, Fidelis Security's Vulnerability Management solutions empower organizations to identify and prioritize vulnerabilities effectively. By addressing weaknesses in infrastructure, they fortify their defenses and reduce security risks, ultimately enhancing their cybersecurity posture.

****4\. Insider Threat Mitigation:****

The threat of insider incidents, whether intentional or accidental, is a concerning challenge. Mitigating these risks is vital to business continuity. Fidelis Security's Data Loss Prevention (DLP) solution is designed to address insider threats by detecting unusual activities and protecting sensitive data from unauthorized access.

Insider threats are a complex challenge that can have far-reaching consequences. Fidelis DLP provides a multifaceted approach to mitigating these risks, by safeguarding sensitive data from unauthorized access and exfiltration.

****Respond********5\. Incident Response and Recovery Planning:****

Incident response and recovery plans are the lifelines in times of a cyber crisis. Fidelis Security's Incident Response solutions are their go-to resource for creating and implementing effective response plans, ensuring swift and efficient actions when needed most.

Incidents are a matter of 'when' rather than 'if' in the cybersecurity landscape. Being prepared to respond swiftly and effectively is essential. Fidelis Security's Incident Response solutions are designed to help organizations create and implement effective response plans. These plans are their lifeline in times of crisis, ensuring that organizations can respond swiftly and efficiently to contain and mitigate the impact of cyber incidents.

****6\. The Fidelis Challenge:****

Fidelis Security brings expertise and commitment to the forefront of cybersecurity. They firmly believe that their perspective on cyber threats is unmatched. To prove this, organizations are invited to take the Fidelis Challenge. For 30 days, they can integrate Fidelis Elevate into your enterprise environment, and Fidelis Security will showcase its unparalleled threat detection capabilities. Fidelis Security is confident that organizations will see the difference they can make in safeguarding their organizations. **Try it for free**.

****Conclusion****

Cyber incidents have the potential to impact national security, economic stability, and public safety. Therefore, organizations should prioritize the security of their critical infrastructure. The main points from this guide emphasize the importance of robust cybersecurity measures for maintaining seamless operations. Organizations are encouraged to concentrate on their cybersecurity efforts and leverage expertise to find the right tailored solutions for their security needs, thereby enhancing their protection against ever-evolving threats.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

How to Keep Your Business Running in a Contested Environment

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.
"Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or

Artificial Intelligence / Vulnerability

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to reward researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.

"Generative AI raises new and different concerns than traditional digital security, such as the potential for unfair bias, model manipulation or misinterpretations of data (hallucinations)," Google's Laurie Richardson and Royal Hansen said.

Some of the categories that are in scope include prompt injections, leakage of sensitive data from training datasets, model manipulation, adversarial perturbation attacks that trigger misclassification, and model theft.

It's worth noting that Google earlier this July instituted an AI Red Team to help address threats to AI systems as part of its Secure AI Framework (SAIF).

Also announced as part of its commitment to secure AI are efforts to strengthen the AI supply chain via existing open-source security initiatives such as Supply Chain Levels for Software Artifacts (SLSA) and Sigstore.

"Digital signatures, such as those from Sigstore, which allow users to verify that the software wasn't tampered with or replaced," Google said.

"Metadata such as SLSA provenance that tell us what's in software and how it was built, allowing consumers to ensure license compatibility, identify known vulnerabilities, and detect more advanced threats."

The development comes as OpenAI unveiled a new internal Preparedness team to "track, evaluate, forecast, and protect" against catastrophic risks to generative AI spanning cybersecurity, chemical, biological, radiological, and nuclear (CBRN) threats.

The two companies, alongside Anthropic and Microsoft, have also announced the creation of a $10 million AI Safety Fund, focused on promoting research in the field of AI safety.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Expands Its Bug Bounty Program to Tackle Artificial Intelligence Threats

**PRESS RELEASE**

**MILPITAS, Calif.,Oct. 26, 2023/PRNewswire/ --** As Cybersecurity Awareness Month comes to a close, SonicWall today released the findings of its 2023 SonicWall Threat Mindset Survey which found that 55% of its customers are more concerned about cyberattacks in 2023, with the main threat being focused on digital attacks like ransomware and spear phishing.

"Understanding our partners and customers greatest concerns is at the heart of SonicWall's outside-in strategy," said SonicWall President and CEO Bob VanKirk. "Even further, it's taking that insight and acting upon it to provide key value-add products and services. The data from the 2023 SonicWall Threat Mindset Survey helps keep our finger on the pulse of what truly matters to our valued customers. As organizations around the globe struggle with economic declines and political strife, SonicWall remains committed to providing the latest in threat intelligence and cyber security solutions to help our partners and customers successfully navigate these rough waters."

SonicWall's proprietary threat mindset survey uncovered additional findings:

*   **Continued concerns about intensifying cyberattacks**: There is growing concern regarding cyberattacks amongst 54% of professionals surveyed; ransomware leads the distress as 83% of all customers cited it as their biggest concern. 94% of respondents are equally or more concerned about overall attacks in 2023. Phishing and spear-phishing (76%), as well as encrypted malware (64%), comprised the top three concerns.
*   **Organizations slow to patch**: Despite rising cyberattack concerns, 78% of organizations don't patch critical vulnerabilities within 24 hours of patch availability; another 13% only apply critical patches when time allows.
*   **Increased fear around insider threats:** Insider threat incidents have continued to increase and 49% of IT professionals cited it as a growing worry. The larger the organization, the more potential insider threat incidents exist. Critical business information and sensitive data can be found in employees' emails – and IT professionals feel the concern.
*   **Now Hiring: cybersecurity professionals needed:** 41% of respondents described their IT/ cybersecurity personnel as inadequate. With the cyberattack landscape becoming savvier with stronger capabilities of pulling off attacks, organizations must prioritize protection and hiring individuals who have the knowledge and skills to best position their company to not fall victim to these ongoing cyberattacks.

Companies are not only losing millions of dollars to unending malware and ransomware strikes but cyberattacks on essential infrastructure are impacting real-world services. Despite the growing concern of cyberattacks, organizations are struggling to keep pace with the fast-moving threat landscape as they orient their business, networks, data and employees against never-ending cyberattacks.

"The evolving cyber threat landscape is the new normal," said EIS Management CIO Jeff Falk. "The labor diverted from business initiatives to cybersecurity concerns swells year-over-year, which demands I spend more of my time managing the business' security needs, having an impact on business operations."

In an effort to promote cybersecurity attentiveness, SonicWall supports Cybersecurity Awareness Month in October with an added emphasis on a new enduring cybersecurity awareness program, Secure Our World. Secure Our World reflects a new enduring message to be integrated across the Cybersecurity and Infrastructure Security Agency's (CISA) awareness campaigns and programs and encourages all of us to take action each day to protect ourselves when online or using connected devices.

**Methodology**

SonicWall surveyed approximately 10,000 customers from around the globe. Questions were optional and some were open-ended, while others were multiple choice.

**About SonicWall**

SonicWall, a partner-first business, has been an unquestioned leader in the cybersecurity for more than 30 years. SonicWall defends organizations mobilizing for their new business normal with seamless protection that stops the most evasive cyberattacks across endless exposure points and increasingly remote, mobile and cloud-enabled workforces. By knowing the unknown, providing real-time visibility and enabling breakthrough economics, SonicWall closes the cybersecurity business gap for enterprises, governments and SMBs worldwide. For more information, visit www.sonicwall.com or follow us on Twitter, LinkedIn, Facebook and Instagram.

SOURCE SONICWALL INC

SonicWall Data Confirms That Ransomware Is Still the Enterprise's Biggest Fear

**PRESS RELEASE**

**DENVER****,** **Oct. 26, 2023** **/PRNewswire/ --** New data from the Lumen Technologies (NYSE: LUMN) Distributed Denial of Service (DDoS) mitigation platform landed the banking industry in the unenviable position of being the most targeted vertical of Q3 2023. This is the first time the banking industry topped Lumen's "most targeted verticals" list and was largely due to the events of a single day: Sept. 21, 2023.

On that day, a single banking customer was targeted with more than 230 DDoS attacks – a whopping 4,500% increase over the daily average for that industry – yet it experienced no downtime. Had the attackers been successful, they could have caused significant damage in the form of lost business, remediation costs and reputational damage.

"The successful mitigations for this banking customer can be traced back to Lumen's multi-layered approach to DDoS mitigation," said Brett Lemarinel, director of unified threat management for Lumen. "It starts at our network, where countermeasures are built in, and our intelligent routing technology, which sends excess traffic through our 500+ scrubbing locations. Our DDoS customers have an added layer of protection from Rapid Threat Defense, our proprietary capability that utilizes threat intelligence from Lumen Black Lotus Labs® to block DDoS botnet traffic before it reaches the customer's environment."

Lemarinel continued, "This should be a warning to all other businesses. More than 230 mitigations in a single day suggests the threat actor was determined to wreak havoc on this customer. Even though the attacker failed, the activity we saw on Sept. 21 is a potent reminder that any business can be in an attacker's crosshairs on any given day."

**Other notable findings in the report include:**

A never-before-seen, four-vector combination was attempted during the Sept. 21 event. The four-vector combination included DNS Amplification, IP Fragmentation, Invalid Packets and Static Filtering. Cyber attackers frequently modify their vector combinations as they attempt to defeat mitigation strategies, but the Lumen DDoS mitigation platform has the flexibility required to recognize and stop these attacks before they impact the targeted customers. The total number of attacks decreased in Q3 2023. Attackers frequently run their operations like a business and, as with any business, cyberattacks have seasonal ups and downs. In Q3 2023, Lumen mitigated 4,217 attacks, which was a 23% quarter-over-quarter decrease and a 24% annual decrease. The banking industry was also the most-targeted vertical for application threats, according to Lumen's application protection partner, ThreatX. Among all industries, the highest percentage of blocked traffic (25.5%) came from programmatic access, which are suspicious, automated attempts to access a web application. This number is up 89% from the previous quarter. The banking sector experienced a significant percentage of "Attacks Against Authentication" (nearly 25%), which are used to gain unauthorized access to financial data. Financial institutions are attractive to attackers, as evidenced by the high attack ratio and combination of brute-force attacks that targeted banks in Q3. Protecting financial data is paramount, but robust web application and API protection solutions can help protect the industry.

"The Q3 ThreatX application attack analysis underscores the critical importance of bot protection and the need for awareness of industry-specific threats," said Neil Weitzel, director, Security Operations Center at ThreatX. "The especially high number of programmatic access threats this quarter underscores the prevalence of bots in API and application attacks. In addition, our findings reveal variations in threats across industries, so businesses must stay vigilant and proactive to safeguard their applications and APIs."

**About Lumen Technologies**

Lumen connects the world. We are igniting business growth by connecting people, data, and applications – quickly, securely, and effortlessly. Everything we do at Lumen takes advantage of our network strength. From metro connectivity to long-haul data transport to our edge cloud, security, and managed service capabilities, we meet our customers' needs today and as they build for tomorrow. For news and insights visit news.lumen.com, LinkedIn: /lumentechnologies, Twitter: @lumentechco, Facebook: /lumentechnologies, Instagram: @lumentechnologies, and YouTube: /lumentechnologies.

**About ThreatX**

ThreatX is managed API and application protection that lets you secure them with confidence, not complexity. It blocks botnets and advanced attacks in real time, letting enterprises keep attackers at bay without lifting a finger. Trusted by companies in every industry across the globe, ThreatX profiles attackers and blocks advanced risks to protect APIs and applications 24/7. Learn more at https://www.threatx.com.

Lumen Q3 DDoS Report: Banking Was the Most Targeted Industry for the First Time

**PRESS RELEASE**

**SEATTLE – Oct. 24, 2023 –** WatchGuard® Technologies, a global leader in unified cybersecurity, today announced the launch of WatchGuard MDR, a new 24/7 cybersecurity service purpose-built to make MDR vastly more accessible to managed service providers (MSPs) working to address soaring customer demand for managed cybersecurity delivery. The new service is managed by an elite team of cybersecurity experts and powered by AI. It requires no investment in a traditional security operation center (SOC) infrastructure, advanced technologies, or security experts, which addresses the pressures of scarce cybersecurity professionals and funding faced by MSPs.

“WatchGuard’s new solution has effectively super charged our managed security services business by allowing us to effortlessly tap into the immense potential of MDR and offer it as a value-added service to customers,” said Raul Zayas, president of ZTek Solutions. “By removing the burden on us to create a modern SOC, WatchGuard MDR expedited our ability to give customers what they need the most: top-notch, comprehensive cybersecurity backed by industry-leading cyber experts to ensure a resilient defense against evolving cyber threats. Not only has WatchGuard put us in the fast lane in that regard, they also make it all incredibly simple to do through their Unified Security Platform architecture to help ensure we stay ahead of the curve.”  

Highly customizable and scalable, this new MDR service further strengthens WatchGuard's Unified Security Platform architecture, providing advanced threat detection and response capabilities on top of WatchGuard EDR, EPDR, and Advanced EPDR that empower MSPs to build out robust, comprehensive security offerings for their customers. It comes with the support of WatchGuard’s automated Zero-Trust Application Service, Threat Hunting Service, advanced security analytics, threat intelligence, and a dedicated team of skilled cybersecurity analysts that monitor, detect, and respond to threats 24/7. 

“As a 100% channel-driven company, we wanted to deliver an enterprise-class MDR solution that would allow our MSP partners to expand their business without the expense of building their own SOC or adding to the challenges they already face in finding cybersecurity talent,” said Andrew Young, chief product officer at WatchGuard Technologies. “We are dedicated to supporting our MSP community, and the launch of WatchGuard MDR represents another milestone in the long-term trusted relationships we build with our partners. Not only does this service help MSPs break through existing barriers to entry for delivering managed security services – it allows them to capitalize on a growing opportunity with an innovative new solution we’ve purpose-built for them specifically.” 

**Key Features and Benefits**

WatchGuard MDR is the ideal choice for service providers looking to elevate the security posture of their customers, expand their portfolio, and generate recurring revenue streams with zero investment in modern security operations center (SOC), sophisticated and expensive AI-based technology, and scarce cybersecurity experts. Capabilities include:  

*   **24/7 Endpoint Activity Monitoring and Data Collection –** to provide real-time and retrospective monitoring using event data captured by WatchGuard EPDR or Advanced EPDR in WatchGuard’s modern SOC.
*   **24/7 Proactive Hunting and Detection** – to reduce time to detect and mitigate threats using AI, machine learning, and other advanced techniques to identify indicators of attack, while WatchGuard’s MDR threat hunters search for threats lurking in endpoints.
*   **24/7 Investigation and Validation** – to minimize the impact of potential threats by relying on WatchGuard experts to quickly investigate and accurately validate incidents to determine their nature and severity.
*   **Immediate Incident Notification** – to provide prompt notification with key insights such as affected machines and tactics used when a validated incident occurs so MSPs can take immediate action.
*   **Options for Mitigation and Guidelines for Remediation** – to give MSPs the flexibility to choose the strategy that works best for their business. They can rely on their own team with guidance from WatchGuard experts on how to contain and remove traces of an attack, restore data, patch vulnerabilities, and install additional controls. Or they can outsource the initial response and the containment through endpoint isolation to automated playbooks developed by WatchGuard MDR experts.
*   **Weekly Security Health Status Report and Monthly Activity Reporting** – to build trust with customers by providing regular reports on their security status, which service providers can customize to better engage customers with their MDR service and provide valuable feedback throughout the process.  

For more information about WatchGuard MDR, click here.

**About WatchGuard Technologies, Inc.**

WatchGuard® Technologies, Inc. is a global leader in unified cybersecurity. Our Unified Security Platform® is uniquely designed for managed service providers to deliver world-class security that increases their business scale and velocity while also improving operational efficiency. Trusted by more than 17,000 security resellers and service providers to protect more than 250,000 customers, the company’s award-winning products and services span network security and intelligence, advanced endpoint protection, multi-factor authentication, and secure Wi-Fi. Together, they offer five critical elements of a security platform: comprehensive security, shared knowledge, clarity & control, operational alignment, and automation. The company is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com.

For additional information, promotions and updates, follow WatchGuard on Twitter (@WatchGuard), on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Subscribe to The 443 – Security Simplified podcast at Secplicity.org, or wherever you find your favorite podcasts.

WatchGuard Launches MDR Service, Helps MSPs Accelerate Cybersecurity Service Delivery

**PRESS RELEASE**

**CAMBRIDGE, England****,** **Oct. 26, 2023** **/PRNewswire/ --** Darktrace, a global leader in cyber security AI, today unveiled a new Darktrace/Cloud™ solution based on its unique Self-Learning AI. The new solution provides comprehensive visibility of cloud architectures, real-time cloud-native threat detection and response, and prioritized recommendations and actions to help security teams manage misconfigurations and strengthen compliance. When combined with insight from Darktrace solutions for network, email, apps, zero trust and endpoint, Darktrace/Cloud provides a deeper, contextualized understanding of the risks and threats currently facing an organization's digital estate.  

According to a recent report, "Gartner® anticipates over 99 percent of cloud breaches will be based on a customer error, account takeover or misconfiguration until 2027"\[1\]. Cloud environments are constantly evolving so security professionals need to increase the level of visibility while keeping up with changing compliance, risk and security requirements. The rise of cloud-native technologies including containers, Kubernetes and microservices also require new tools and techniques for detecting and responding to known and novel threats.

"Unlike static cloud security tools that provide snapshots of a specific point in time, Darktrace/Cloud is real-time, all the time. Our Self-Learning AI continuously learns patterns between workloads, assets, policy configurations and identities to provide a dynamic view of cloud architectures. We analyze the entire cloud stack from data to control plane, combining an understanding of architecture and network with a new flexible, scalable deployment model," said Jack Stockdale, Chief Technology Officer, Darktrace. "Our innovative approach to cloud security is built on more than a decade of leadership in Cyber AI that is already protecting our customers' critical business areas from network and email to operational technology."

Available today, the new capabilities in Darktrace/Cloud include:

*   **Comprehensive visibility and architecture modeling** for insights into the constantly changing nature of cloud environments. This visibility is constructed dynamically from configuration, network, users and identity and access management (IAM) data. Darktrace establishes patterns of life for cloud resources, identities, and services to understand who has access to what and how. This is critical for detecting anomalies and unknown threats.
*   **Universal attack path modeling** provides a dynamic view of where attackers may look to move next. Darktrace brings together real-time cloud data and a deep understanding of your cloud environment with a platform approach that provides insights about risks from other covered areas of the business (e.g., network, email) to highlight potential attack paths and prioritize important assets to secure.
*   **Unique real-time and cloud-native threat detection and response** that provides a dynamic view of known and novel threats within the cloud. Darktrace combines deep cloud attack path knowledge with real-time anomaly and threat detection through cloud-native autonomous response actions, such as detaching a policy from a user or removing a workload from a security group.
*   **Prioritized cloud posture management** that starts by examining cloud configurations against common compliance frameworks. Where misconfigurations are detected, Darktrace provides a prioritized view of what to fix first, based on a risk profile generated from security and business context. Guided steps can be provided to help teams proactively address these before they become a significant issue.
*   **Cost discovery** to provide a better understanding of cloud resource allocation. This helps teams contextualize their cloud resources according to security and business priorities.
*   **Communication and collaboration capabilities** to streamline workflows between security teams and DevOps teams. Tickets can be created on demand, teams can communicate directly via messaging platforms, and alerts and anomaly detections can be sent to Security Information & Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) products and the Darktrace Mobile app so they can be alerted on the go.
*   **Flexible deployment options** include an agentless deployment by default so organizations can be up and running in minutes. Teams can use the dynamic architectural view and risk context to decide where to deploy agents for enhanced real-time actions and deeper inspection.

Sykes Cottages, a cloud-native travel agency platform in the UK, has experienced significant growth in the last five years and has relied on the cloud to help them scale throughout this period.

"When it comes to cybersecurity, having visibility and an understanding of what you've got and your risks is critical. If I don't know it's there, I can't protect it," said Jonny Mattey, Head of Cybersecurity, Sykes Cottages. "Having a holistic, live view of our cloud environment enables us to work pragmatically and use AI to cut down management time so that we can address security risks and improve our resilience."

The new Darktrace/Cloud solution is now available on Amazon Web Services (AWS) through the AWS Marketplace, a curated digital catalog that makes it easy for customers to find, buy, deploy, and manage the third-party software they need to build solutions and run their business. Darktrace and AWS have been collaborating since 2017 to help organizations secure their AWS environments. Darktrace protects AWS environments for organizations around the world including Sunwest Bank and ProPhase Labs. Darktrace is an AWS Security Competency Partner and is part of the AWS ISV Accelerate program.

"Security is job zero at AWS," said Paddy Fitzpatrick, Director – Independent Software Vendors, UK & Ireland at Amazon Web Services. "As the threat landscape continues to evolve, the availability of AI-based tools like Darktrace/Cloud on the AWS Marketplace will help customers to gain increased visibility, and respond more effectively to security risks and threats."

Darktrace first extended its Cyber AI capabilities to cloud environments in 2016, applying its world class algorithms to granular network traffic. Darktrace/Cloud was recently named Cloud Security Product of the Year for Large Enterprises by Computing Magazine in its 2023 Cloud Excellence Awards.

Learn more about the new enhancements to Darktrace/Cloud by tuning into the launch event at 11:30am ET/4:30pm BST.

**ABOUT DARKTRACE**

Darktrace (DARK.L), a global leader in cyber security artificial intelligence, is on a mission to free the world of cyber disruption. Breakthrough innovations in our Cyber AI Research Center in Cambridge, UK have resulted in over 160 patents filed and research published to contribute to the cyber security community. Rather than study attacks, Darktrace's technology continuously learns and updates its knowledge of 'you' and applies that understanding to optimize your state of optimal cyber security. Darktrace is delivering the first ever Cyber AI Loop, fueling a continuous end-to-end security capability that can autonomously spot and respond to novel in-progress threats within seconds. Darktrace employs over 2,200 people around the world and protects approximately 8,900 customers globally from advanced cyber threats. Darktrace was named one of TIME magazine's 'Most Influential Companies' in 2021. To learn more, visit http://www.darktrace.com.

SOURCE Darktrace

Darktrace Unveils Cloud-Native Security Solution Using AI

The industrial automation giant agrees to buy Verve Industrial Protection, joining in an ICS trend of bringing cybersecurity capabilities in-house to keep up with attackers.

Manufacturers of industrial automation and control systems continue to scoop up industrial cybersecurity firms to provide customers with more protection for their factories and facilities.

This week, Rockwell Automation agreed to acquire Verve Industrial Protection, a cybersecurity software and services firm, which will become part of Rockwell's Lifecycle Services division. The acquisition follows the July commitment by Honeywell to buy SCADAfence, an operational technology and IoT security firm, as a way to acquire asset discovery and threat detection capabilities. And just last week, technology firm Siemens announced an all-in-one testing suite for industrial networks — partnering with Tenable on the initial testing tools, but committing to including more third parties in the future.

The large manufacturers are trying to catch up with attackers and fix their cybersecurity shortcomings, says Katell Thielemann, distinguished vice president analyst at business intelligence firm Gartner.

"OEMs are on a bit of a redemption journey," she says. "Their end-user clients are starting to be vocal about buying multimillion-dollar assets that contain vulnerabilities and misconfigurations, and then having to pay million-dollar support services contracts that allow fixes downstream."

An additional impetus for Honeywell, Siemens, and Rockwell to acquire cybersecurity services comes from the desire to create additional channels for sales, says Dale Peterson, CEO and founder of Digital Bond, an ICS consultancy.

"What we are seeing is the large ICS vendors are developing practices to sell cybersecurity products and services — sometimes through acquisition ... and sometimes through partnerships," he says. "It's unclear if this will be successful or how committed they will be to this in tough times."

**Target Threats Tailored to ICS**

The acquisition announced comes as attackers are increasingly targeting industrial control systems (ICS) and the industrial Internet of Things (IIoT). In May 2021, an attack on Colonial Pipeline's information systems resulted in the company shutting down pipelines, causing a fuel shortage along the East Coast of the United States.

Overall, 77% of attacks on critical infrastructure came from state-affiliated actors and organized criminal groups, according to an analysis of 122 public incidents published by Rockwell Automation last month. The largest share of attacks (39%) hit the energy sector, with critical manufacturing, transportation, and nuclear sectors each accounting for another tenth of attacks, according to the report.

Attackers are increasingly targeting industrial automation and safety equipment with tailored malware, while defenders have seen "a worrisome increase in disclosed vulnerabilities in industrial cyber-physical systems," says Thielemann. Typically, the vast majority (84%) of attacks have come through IT networks, while only 14% have initially infected an OT device, according to Rockwell's report.

Operators of industrial systems need to know what devices are present in their OT and IT networks, which are vulnerable, and which can be patched, she says.

"As the threat landscape starts to pose a clear and present danger in production environments, it is critical to know what assets you have, and to shift from a network-centric view of security to an asset-centric one," Thielemann says.

**Industrial Automation Struggles With Security**

The Rockwell-Verve merger might also be a way to change the industrial control system and automation industries' mindset on security. Operators typically have not had good visibility into the devices and equipment deployed to their operational networks, and patching equipment that have lifecycles of decades when dealing with software with lifecycles of years is a complex problem.

Rockwell Automation has rolled out signed firmware and support for CIP Security for defense-in-depth, supporting device identification and authentication using certificates on devices, says Peterson.

Still, industrial automation providers have a ways to go to earn their customers' confidence that they will put security ahead of profits, he says.

"\[W\]hether the asset owner will trust the ICS vendor to be straightforward about risk when it reflects poorly on their own systems or reflects positively on a competitor" is an open question, Peterson says. "All this to say that the ICS vendor as a channel for ICS security products and services is unproven."

Rockwell Automation did not disclose the details of its purchase agreement with Verve. The company noted that the acquisition must meet regulatory approvals and should close in the first quarter of its fiscal year in 2024.

Rockwell's Verve Buy Enlivens Critical Infrastructure Security

The cybercrime recruitment and mentoring hub conducted a variety of cybercrimes including business email compromise.

Nigerian police arrested six men they believe are associated with a cybercrime recruitment and mentoring hub.

During interrogation, the six men — aged from 19 to 27 — admitted to activities including identity theft, hacking and trading of hacked Facebook accounts, romance scams, computer-related forgery, and other computer-related fraud, according to a statement from the Nigerian police force.

Police also said intelligence reports indicated involvement by the syndicate in other high-level cybercrimes, including business email compromise and high-yield investment program fraud.

A police spokesperson said in a statement that the arrested suspects will be charged upon the conclusion of the investigation, while "efforts to apprehend the fleeing members of this criminal network are underway," suggesting there are more people involved.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Nigerian Cybercrime Hub Shut Down With 6 Arrests

WordPress AI ChatBot plugin versions 4.8.9 and below suffer from arbitrary file deletion, remote SQL injection, and directory traversal vulnerabilities.

Vulnerability Details and Technical Analysis

The AI ChatBot plugin provides website owners with a plug and play chat solution that can be expanded upon with customizable FAQs and custom text responses. It provides website users with an interface that allows them to look up order information, leave contact information for later callbacks and can be integrated with OpenAI’s ChatGPT or Google’s DialogFlow.

A lot of the interactions with the chatbot happen via AJAX actions. Many of these actions were made available to unauthenticated users in order to allow them to interact with the chatbot. Other actions required at least subscriber-level access.

Unauthenticated SQL Injection – CVE-2023-5204

Description: Unauthenticated SQL Injection via qc_wpbo_search_response 

Affected Plugin:AI ChatBot

Plugin slug:chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5204

CVSS score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

One of the many vulnerabilities we discovered was an unauthenticated SQL Injection. The following two AJAX actions are used for searches during interactions with the chatbot:

add_action( 'wp_ajax_nopriv_wpbo_search_response', 'qc_wpbo_search_response' );

add_action( 'wp_ajax_wpbo_search_response', 'qc_wpbo_search_response' );

The wp_ajax_nopriv_wpbo_search_response AJAX action can be used by users who are not authenticated to WordPress due to the hook utilizing ‘nopriv’. On the other hand, the standard wp_ajax_wpbo_search_response AJAX action can only be used by authenticated users due to the inherent functionality of AJAX actions.

qc_wpbo_search_response 

function qc_wpbo_search_response (shortened for brevity)

The qc_wpbo_search_response function hooked by the aforementioned AJAX actions is used to search within the database for responses containing certain keywords. If the $_POST[‘strid’] parameter is set, a record is retrieved from the wpbot_response table by ID. The $strid variable supplied by the POST parameter can be leveraged for SQL Injection, despite being sanitized using the sanitize_text_field function.

According to the WordPress Developer Resources, the sanitize_text_field function checks for invalid UTF-8; converts single < characters to entities; strips all tags; removes line breaks, tabs, and extra whitespace; strips percent-encoded characters. This does not provide sufficient protection against SQL Injection attempts, and is only intended for Cross-Site Scripting protection. Furthermore, the get_results function used in the above function call does not perform any preparation, nor is there any escaping of the user supplied input passed to the SQL Query. We always recommend the use of the prepare function on SQL queries as it provides adequate escaping on the user-supplied values, which prevents SQL injection from being successful. In addition, ensuring that the $strid is an integer would help prevent a SQL Injection attack from being successful.

The lack of a UNION operation in the above SQL query makes exploiting this vulnerability more difficult, but a time-based blind injection approach using the SLEEP() function and CASE statements can still be used to extract information from the database by observing the duration of individual queries. While tedious, this technique can be used to extract sensitive information from the database. This includes hashed passwords.

Arbitrary File Deletion – CVE-2023-5212

Description:Authenticated (Subscriber+) Arbitrary File Deletion via qcld_openai_delete_training_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor: QuantumCloud

Affected versions: <= 4.8.9

CVE ID:CVE-2023-5212

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

The plugin offers the ability to upload training files to OpenAI. An arbitrary file deletion vulnerability existed in the  qcld_openai_delete_training_file  function invoked via the following AJAX action:

add_action('wp_ajax_qcld_openai_delete_training_file',[$this,'qcld_openai_delete_training_file']);

delete_training_file 

function qcld_openai_delete_training_file

This vulnerable function accepts a file path via the $_POST[‘file’] parameter and checks whether the file exists. If it does, the function adjusts permissions on the file in such a way that it can be removed and proceeds to delete it. This function misses a capability check to ensure that the user performing the action has proper privileges, as well as a nonce check to ensure that the action is performed intentionally. and is thus vulnerable to Missing Authorization and Cross-Site Request Forgery.

Furthermore, no check is performed ensuring that the file is an OpenAI training file and that it resides in a location or directory where training files are expected to be located. This could allow an authenticated attacker with subscriber-level privileges or higher to remove the wp-config.php file of an affected site, which would invoke the WordPress installation script on the next site visit and could lead to a complete site takeover.

The file path passed via the $_POST[‘file’] parameter could also point to a file outside of the affected website, thus enabling the deletion of wp-config.php files of other sites in shared hosting environments. Deleting wp-config.php forces the site into a setup state, at which point an attacker can take over the site by pointing it to a database under their control. Of course, attackers are not limited to deleting PHP files either as long as the web server can change file permissions and delete the file.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Directory Traversal to Arbitrary File Write – CVE-2023-5241

Description: Authenticated (Subscriber+) Directory Traversal to Arbitrary File Write via qcld_openai_upload_pagetraining_file 

Affected Plugin: AI ChatBot

Plugin slug: chatbot

Vendor:QuantumCloud

Affected versions: <= 4.8.9

CVE ID: CVE-2023-5241

CVSS score: 9.6 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Researcher: Marco Wotschka 

Fully Patched Version: 4.9.1

We also discovered an arbitrary file write vulnerability which exists in the qcld_openai_upload_pagetraining_file function. The entire function is rather long which is why we won’t display it here in its entirety.

upload_training_file 

function qcld_openai_upload_pagetraining_file (shortened for brevity)

The function expects a filename to be passed as a  $_POST[‘filename’]  parameter, which is sanitized using the sanitize_text_field function. The $file variable is used to determine the location of a file in the wp-content/uploads/qcldopenai_site_training/ directory. If the file exists, the function proceeds to declare a variable called $split_file, creates a file handle $qcld_openai_json_file and opens the file in append mode. This means that the file is not overwritten but anything written to the file is instead appended.

It is not immediately clear what the purpose of this part of the function is since it simply appends the contents that are already in the file to the end of the file until the length of the content that is added exceeds $this->wpaicg_max_file_size or the entire file has been duplicated.

The corresponding if-statement that determines when to terminate writing to the file looks as follows:

if(mb_strlen($qcld_openai_content, '8bit') >$this->wpaicg_max_file_size)

In a default installation $this->wpaicg_max_file_size is not defined and therefore NULL. Hence, in such scenarios the function adds the first line of the file specified by the user to the end of the file. Since NULL is interpreted as zero in a comparison statement like this, any positive file size will suffice to break out of this part of the function.

Unfortunately, this code is vulnerable to Directory Traversal via the filename parameter. If the filename that is passed is a relative path to wp-config.php, the file handle will ultimately point to the site’s wp-config.php file. An authenticated attacker with subscriber-privileges or higher could utilize this fact to append the first line of its content to the file wp-config.php, which would be <?php.

While an attacker does not have any influence on the data that is written, in most cases a <?php could be written to the end of a targeted PHP file, which can lead to catastrophic consequences as the added PHP tag may result in an error such as

Parse error: syntax error, unexpected token "<", expecting end of file

This prevents the site from loading properly and can be used to append to any PHP file (or other files) including those in shared hosting environments leading to Denial of Service (DoS). One way to prevent Directory Traversal is to use the sanitize_file_name function, which removes special characters including slashes and leading dots from the file name.

Version 4.9.1 removed this function as well as the corresponding AJAX action. Version 4.9.2 reintroduced the vulnerable function and action hook, which were both again removed in version 4.9.3.

Numerous Other Missing Authorization and Cross-Site Request Forgery Vulnerabilities

In addition to the vulnerabilities outlined above, we discovered several AJAX actions without proper capability checks, which made it possible for authenticated attackers with minimal access, such as subscribers, to invoke those actions. Several of the functions were also missing nonce verification, which would make it possible for attackers to forge requests on behalf of a site administrator, or any other authenticated user considering capability checks were also missing.

However, these vulnerabilities had minimal impact and led to the exposure of information such as user order details and user names, the download and extraction of a zip used by the plugin (not arbitrary zip files), cache deletion, as well as starting and stopping of search indexing jobs to name a few. The severity of those actions is lower than the ones we detailed above.

Timeline

September 25-28, 2023 – The Wordfence Threat Intelligence team discovers several vulnerabilities in the AI ChatBot plugin.

September 28, 2023 – We initiate contact with the plugin developer.

September 29, 2023 – We release a firewall rule to protect Wordfence Premium , Wordfence Care , and Wordfence Response  customers and send the full disclosure to the plugin developer. Receipt of the disclosure is acknowledged.

October 10, 2023 – A fixed version (4.9.1) of the plugin that patches all reported vulnerabilities is released.

October 18, 2023 – Several of the vulnerabilities are reintroduced in version 4.9.2. We inform the vendor about this.

October 19, 2023 – Version 4.9.3 patches the vulnerabilities again.

October 29, 2023 – The firewall rule becomes available to free Wordfence users

Conclusion

In this blog post we covered an Unauthenticated SQL Injection vulnerability (affecting versions <= 4.8.9), as well as an Arbitrary File Write vulnerability and an Arbitrary File Deletion vulnerability (affecting versions <= 4.8.9 and 4.9.2). The SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from the database using a time-based blind injection approach, which could ultimately lead to exposure of admin credentials and site takeover.

The Arbitrary File Write vulnerability can be utilized by authenticated attackers to append opening PHP tags (in default configurations) to any file including the wp-config.php file, which can lead to Denial of Service (DoS). The Arbitrary File Deletion vulnerability can be used by authenticated attackers to delete any file on the web server offering the possibility of complete site takeovers.

All Wordfence running Wordfence Premium , Wordfence Care , and Wordfence Response , have been protected against these vulnerabilities as of September 29, 2023. Users still using the free version of Wordfence will receive the same protection on October 29, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as these vulnerabilities pose a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence  and potentially earn a spot on our leaderboard .

Tag

#intel