The fast growing region has its own unique cyber issues — and it needs its own talent to fight them.

Source: Panther Media via Alamy Stock Photo

COMMENTARY

The Middle East is undergoing a digital transformation that is as rapid as it is remarkable. Tech multinationals are investing big in the region as Dubai, Riyadh, and Abu Dhabi strive to establish themselves as global innovation hubs.   

But this increased digitization comes with an increased risk of cyberattacks — and businesses throughout the Middle East are at risk of being caught with their guard down.

The pace of digital growth in countries throughout the Middle East has far outstripped cybersecurity talent in the region, leaving organizations fatally exposed. While some businesses resort to outsourcing their cybersecurity measures to tech giants and their tools, this hands-off approach is risk-prone.

The Middle East now sits squarely in the firing line. With cyberattacks emboldened by AI, robust cybersecurity defenses are more crucial than ever. Businesses must move away from outsourcing and focus on building strong in-house defenses by investing in tool-based approaches and heavily leveraging in-house hiring, upskilling, and talent retention practices.

**Victims of Their Own Success?**

The commercial success of locations like Dubai, Abu Dhabi, and Saudi Arabia has transformed them into potential hotbeds for cybercrime. Distributed denial-of-service (DDoS) attacks on Middle Eastern countries have risen 75% in the past year, with the UAE and Saudi Arabia taking the brunt of the blow. 

Related:Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel

The UAE alone falls victim to around 50,000 cyberattacks a day. And it comes at a cost: in 2023, cyberattacks cost businesses, organizations, and public bodies more than $8 million per incident.

The uptick in cyberattacks is only exacerbated by changing patterns in the cybercrime landscape. The rise of AI has lowered the barrier to entry for would-be hackers, allowing those with even the most novice skills to carry out a full-scale attack. Meanwhile, the proliferation of cybercrime as a service (CaaS), offering services like DDoS-for-hire, means threat actors now need little more than an intention to launch a cyberattack. In this new era of cybercrime, where there's a will, there's a way.

The current cybersecurity skills gap seen throughout the Middle East is leaving companies exposed and vulnerable to bad actors. Over half the companies in the EMEA region have attributed cybersecurity breaches to a lack of skills and training, while 70% of business leaders believe that skills shortages create a whole host of additional cybersecurity risks for companies to address.

**AI Muddles Outsourced Security Equation**

Related:DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

Too many businesses attempt to remedy this lack of talent by outsourcing their cybersecurity to third parties. While this might have been effective when countries like the US were the main target for threat actors, that's no longer the case.   

The rise of AI-enhanced cyberattacks presents a new host of threats that businesses outsourcing cybersecurity won't necessarily be able to tackle. Not only has AI made it easier for threat actors to carry out cyberattacks, it's also made the attacks themselves more sophisticated and more malicious.

AI-enhanced malware is stealthier, making it harder to detect a breach of IT infrastructure. Automated phishing attacks enable bad actors to target a larger number of potential victims, while the phishing attacks themselves are highly tailored to their targets.

It is crucial that Middle Eastern businesses — particularly those in the UAE and Saudi Arabia — are on top of their cybersecurity measures. They cannot sit back and outsource cybersecurity with the assumption that the risk is also transferred. Instead, they must take an active approach to their cybersecurity measures by building up a strong in-house cybersecurity team that can identify, respond to, and deal with threats in an effective and timely manner. 

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

Bringing cybersecurity in-house mitigates the risks that can crop up when relying on outsourced defenses, such as slow response times. Instead, in-house cybersecurity teams will have their fingers on the pulse of the business's security framework, as well as a thorough understanding of business specifics, enabling them to react quickly to threats.

But to achieve this, businesses must invest heavily in new and pre-existing IT talent to close the Middle East's skills gap — and this should be done with a particular focus on hiring and retention practices.

**Retention Is Tough in Smaller Talent Pool**

Over half of organizations globally say they struggle to recruit candidates with cybersecurity experience. Difficulties in hiring cybersecurity talent are compounded by trouble retaining cybersecurity staff, throwing employers into a vicious cycle of hiring and re-hiring. In the Middle East, where the digital economy is still young, this is of particular concern — the talent pool is finite, and companies cannot afford to lose out on promising employees.   

To combat this, corporations in the Middle East should turn their attention to the fresh talent coming out of universities throughout the Middle East and around the world. By forming partnerships with universities and offering attractive graduate schemes, businesses can tap into dense talent pools brimming with promising cybersecurity talent.

Graduates are eager to learn and willing to mold to the company ethos, making them the ideal choice for corporations looking to build up a dedicated in-house cybersecurity team.

Investing in apprenticeship schemes is another option for companies. Although more hands-on, companies will be able to train candidates from the ground up, ensuring the candidate's skills and knowledge are strongly aligned with the business's cybersecurity needs.

**Learning & Development Must Be Fostered**

Retaining this talent is just as crucial as bringing them on board in the first place.  Alongside the usual retention tactics, such as competitive pay packets and desirable benefits, companies must invest heavily in continuous learning and development (L&D) opportunities throughout the employee's career.  

Poor training — or a lack of training altogether — is a surefire way to lose employees. Conversely, 94% of employees say they would stay longer with an employer that invested in L&D. In a fast-changing, continually developing industry like cybersecurity, L&D is especially vital.

Investing in training sessions and development courses for cybersecurity employees will ensure they're kept up to date with any changes in the threat and security landscape. And, in the process, employees will feel as if the company is giving them opportunities to develop their skills and abilities, rounding them out into highly experienced cybersecurity professionals.

Investing in staff as a cybersecurity tactic shouldn't begin and end with cybersecurity staff. Deploying a company-wide cybersecurity upskilling program is a vital first step — and a simple way of ruling out one of the greatest causes behind cybersecurity breaches: human error. Negligence, a lack of awareness, or simple mistakes can lead to vulnerabilities and breaches, even in the most robust systems. Upskilling is a vital step companies must take to mitigate this risk.

With the rising rate of cyberattacks in the Middle East, corporations cannot afford to sit back and wait until they become the next big victim of a data breach or DDoS attack.

Companies can't rely solely on third-party cybersecurity measures — they must build up comprehensive in-house defenses. Businesses need to act now and double their investments in cybersecurity talent, paying particular mind to up-and-coming graduate talent.

**About the Author**

Founder, PG Advisors Ltd.

Partha Gopalakrishnan is a leading business transformation expert with more than 25 years of experience directing global teams to drive digital growth. He also has his own firm, PG Advisors, which offers board advisory and non-executive director services for prominent analysts and PE Firms. 

Partha has served in executive leadership positions with some of the world’s largest technology firms and global systems Integrators, including 17 years with Infosys, followed by a tenure at Tech Mahindra. He has completed executive education programs at the Stanford University Graduate School of Business and The Wharton School of the University of Pennsylvania.

Cybersecurity Lags in Middle East Business Development

AI tools will enable significant productivity and efficiency benefits for organizations in the coming year, but they also will exacerbate privacy, governance, and security risks.

Source: Anggalih Prasetya via Shutterstock

Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year.

Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches.

While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months.

**AI Coding Assistants Will Go Mainstream — and So Will Risks**

Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices.

"While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks," says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. "Enterprises users will continue to be required to scan for known vulnerabilities with \[Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST\] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits."

**AI to Accelerate Adoption of xOps Practices**

As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes.

"xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data," he says. "This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle." Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications.

**Shadow AI: A Bigger Security Headache**

The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations.

Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. "We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees," leading to a rise in shadow AI, Carignan says. "If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect," she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment.

**AI Will Augment, Not Replace, Human Skills**

AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI's processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+.

Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. "The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses."

AI's ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. "The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures." Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds.

**Attackers Will Leverage AI to Exploit Open Source Vulns**

Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open source software. "Even closed source software is not immune, as AI-based fuzzing tools can identify vulnerabilities without access to the original source code. Such zero-day attacks are a significant concern for the cybersecurity community," Raju says.

In a report earlier this year, CrowdStrike pointed to AI-enabled ransomware as an example of how attackers are harnessing AI to hone their malicious capabilities. Attackers could also use AI to research targets, identify system vulnerabilities, encrypt data, and easily adapt and modify ransomware to evade endpoint detection and remediation mechanisms.

**Verification, Human Oversight Will Be Critical**

Organizations will continue to find it hard to fully and implicitly trust AI to do the right thing. A recent survey by Qlik of 4,200 C-suite executives and AI decision-makers showed most respondents overwhelmingly favored the use of AI for a variety of uses. At the same time, 37% described their senior managers as lacking trust in AI, with 42% of mid-level managers expressing the same sentiment. Some 21% reported their customers as distrusting AI as well.

"Trust in AI will remain a complex balance of benefits versus risks, as current research shows that eliminating bias and hallucinations may be counterproductive and impossible," SlashNext's Kowski says. "While industry agreements provide some ethical frameworks, the subjective nature of ethics means different organizations and cultures will continue to interpret and implement AI guidelines differently." The practical approach is to implement robust verification systems and maintain human oversight rather than seeking perfect trustworthiness, he says.

Davies from Bugcrowd says there's already a growing need for professionals who can handle the ethical implications of AI. Their role is to ensure privacy, prevent bias, and maintain transparency in AI-driven decisions. "The ability to test for AI’s unique security and safety use cases is becoming critical," he says.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

6 AI-Related Security Trends to Watch in 2025

Treasury says hackers accessed “certain unclassified documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.

A disclosure notice to the United States Congress on Monday revealed that the US Treasury Department suffered a breach earlier this month that allowed hackers to remotely access some Treasury computers and “certain unclassified documents.”

The attackers exploited vulnerabilities in remote tech support software provided by the identity and access management firm BeyondTrust, and Treasury said in its letter to lawmakers that “the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.” Reuters first reported the disclosure and its contents.

In the notice, Treasury officials said that BeyondTrust notified the agency of the incident on December 8 after attackers were able to steal an authentication key and use it to bypass system defenses and gain access to Treasury workstations.

“The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information,” Treasury assistant secretary for management Aditi Hardikar wrote the lawmakers. “In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.”

The disclosure says that Treasury has been collaborating with the FBI, the Cybersecurity and Infrastructure Security Agency, and the intelligence community broadly as well as private “forensic investigators” to evaluate the situation. The Treasury and FBI did not immediately return WIRED's request for additional information about the breach. CISA referred questions back to the Treasury Department. BeyondTrust was not immediately available for comment about the situation.

On December 8, BeyondTrust published an alert that it has continued to update about “a security incident that involved a limited number of Remote Support SaaS customers.” (SaaS stands for “software as a service.”) Though the notification does not say that the US Treasury was one of the impacted customers, the timeline and details appear to line up with the Treasury disclosure, including acknowledgment from BeyondTrust that attackers compromised an application programming interface key.

The BeyondTrust alert mentions two exploited vulnerabilities involved in the situation—the critical command injection vulnerability "CVE-2024-12356" and the medium-severity command injection vulnerability "CVE-2024-12686." CISA added the former CVE to its “Known Exploited Vulnerabilities Catalog” on December 19. Command injection vulnerabilities are common application flaws that can be easily exploited to gain access to a target's systems.

“I cannot believe that we're seeing command injection vulnerabilities in 2024 in any products, let alone a secure remote access product that's supposed to have additional vetting for use by the US government,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy and a former NSA hacker. “They are some of the easiest bugs to identify and remediate at this point.”

BeyondTrust is an accredited “Federal Risk and Authorization Management Program” vendor, but Williams speculates that it is possible that the Treasury was using a non-FedRAMP version of the company's Remote Support and Privileged Remote Access cloud products. If the breach actually affected FedRAMP-certified cloud infrastructure, though, Williams says, “it might be the first breach of one and almost certainly the first time FedRAMP cloud tools were abused to facilitate remote access to a customer's systems.”

The breach comes as US officials have been scrambling to address a massive espionage campaign compromising US telecoms that has been attributed to the China-backed hacking group known as Salt Typhoon. White House officials told reporters on Friday that Salt Typhoon breached nine US telecoms.

“We wouldn’t leave our homes, our offices, unlocked and yet our critical infrastructure—the private companies owning and operating our critical infrastructure—often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier, and harder for countries and criminals to attack,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said on Friday.

Treasury, CISA, and FBI officials did not respond to WIRED's questions about whether the actor that breached the Treasury was specifically Salt Typhoon. Treasury officials said in the disclosure to Congress that they would provide more information about the incident in the Department's mandated 30-day supplemental notification report. As details continue to emerge, Hunter Strategy's Williams says that the scale and scope of the breach may be even larger than it currently appears.

“I expect the impact to be more significant than access to just a few unclassified documents,” he says.

US Treasury Department Admits It Got Hacked by China

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.

Title: ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution  
Advisory ID: ZSL-2024-5891  
Type: Local/Remote  
Impact: Security Bypass, DoS  
Risk: (5/5)  
Release Date: 30.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated shell command execution vulnerability through the deployStart.php script. This allows any user to trigger the execution of 'rundeploy.sh' script, which initializes the Java deployment server that sets various configurations, potentially causing unauthorized server initialization and performance issues.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[30.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_rce19.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://www.cve.org/CVERecord?id=CVE-2024-48840  
\[3\] https://packetstorm.news/files/id/183307/

**Changelog**

\[30.12.2024\] - Initial release  
\[02.01.2025\] - Added reference \[3\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (deployStart.php) Unauthenticated Command Execution

The ABB Cylon controller suffers from an authenticated path traversal vulnerability. This can be exploited through the 'devName' POST parameter in the ethernetUpdate.php script to write partially controlled content, such as IP address values, into arbitrary file paths, potentially leading to configuration tampering and system compromise including denial of service scenario through ethernet configuration backup file overwrite.

Title: ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) Authenticated Path Traversal  
Advisory ID: ZSL-2024-5890  
Type: Local/Remote  
Impact: Manipulation of Data, DoS, Security Bypass  
Risk: (4/5)  
Release Date: 30.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB Cylon controller suffers from an authenticated path traversal vulnerability. This can be exploited through the 'devName' POST parameter in the ethernetUpdate.php script to write partially controlled content, such as IP address values, into arbitrary file paths, potentially leading to configuration tampering and system compromise including denial of service scenario through ethernet configuration backup file overwrite.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[30.12.2024\] Public security advisory released.

**PoC**

abb\_aspect\_dir2.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://packetstorm.news/files/id/183306/

**Changelog**

\[30.12.2024\] - Initial release  
\[02.01.2025\] - Added reference \[2\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) Authenticated Path Traversal

SUMMARY A recent report from the German news outlet Spiegel has revealed a significant security breach impacting hundreds…

****SUMMARY****

*   Sensitive data for 800,000 Volkswagen Group EVs was exposed on an unsecured cloud server.

*   The data leak, discovered by a whistle-blower, included GPS data and vehicle status, enabling owner tracking.

*   Affected users included politicians, police, and intelligence employees, with most vehicles in Europe.

*   The data leak revealed personal routines and locations, posing serious privacy risks.

*   The issue stemmed from Cariad’s system misconfiguration, which has since been addressed.

A recent report from the German news outlet Spiegel has revealed a significant security breach impacting hundreds of thousands of Volkswagen Group electric vehicle owners. The investigation found that sensitive location data for 800,000 vehicles, including those from Volkswagen, Audi, SEAT, and Skoda, was left exposed on an unsecured cloud server for months. 

The vulnerability was discovered by an anonymous whistle-blower and reported to the Chaos Computer Club (CCC), a prominent European hacker association. The exposure included personal data, including GPS coordinates and vehicle status, including detailed information about VW ID.3 and ID.4 owners stored on an unsecured Amazon cloud server. This allowed anyone with the right know-how to track the movements and habits of affected owners. 

https://berlin-ak.ftp.media.ccc.de//congress/2024/h264-hd/38c3-598-deu-Wir\_wissen\_wo\_dein\_Auto\_steht\_-\_Volksdaten\_von\_Volkswagen.mp4

Reportedly, the impacted EVs were located worldwide with the majority found in Germany and other parts of Europe. The affected owners not just include ordinary citizens but also prominent figures like German politicians, police officers, and even suspected intelligence service employees just like in October 2023 when a third-party contractor exposed over 500,000 Irish Police vehicle seizure records.  

This exposure extended far beyond simple vehicle location tracking. By linking vehicle data with other personal information, the researchers were able to gain unprecedented insights into the daily lives of affected owners.

For example, according to Spiegel’s report, it was able to track the movements of two German politicians with alarming precision, pinpointing their locations at various locations including a retirement home and military barracks, and profiling a mayor with her car tracking her movements from her work to her physical therapist.

That’s not all! Spiegel discovered terabytes of data on Amazon cloud storage, including the precise location of 460,000 vehicles, which could reveal crucial details of their owners. Moreover, the data also included information about the Hamburg police department’s electric cars, politicians, business leaders, Federal Intelligent Services employees, and the US Air Force’s Ramstein Air Base drivers.

The root of this security failure lies within Cariad, the Volkswagen Group’s software division. The company confirmed that a misconfiguration within their systems allowed unauthorized access to the sensitive data.

While Cariad insists that no financial or personally identifiable information was compromised, the potential for misuse of the exposed location data remains a significant threat. Cybercriminals could exploit this information for a variety of malicious purposes, including targeted stalking, blackmail, and even physical attacks.  

The CCC promptly contacted Lower Saxony’s State Data Protection Officer, Federal Ministry of the Interior, and other security bodies, and gave VW Group and Cariad 30 days to address the issue before going public. Cariad’s technical team promptly and responsibly blocked unauthorized access to customer data.

1.  **Cicada3301 Ransomware Hits French Peugeot Dealership**
2.  **Fuel Industry Software Provider Exposes SSNs and PII Data**
3.  **Builder.ai Database Exposes 1.29 TB of Unsecured Records**
4.  **Microsoft Power Pages Expose Millions of Records Globally**
5.  **13GB Data of Automobile Insurance Giant AA Exposed Online**

Exposed Cloud Server Tracks 800,000 Volkswagen, Audi, and Skoda EVs

From Elon Musk and Donald Trump to state-sponsored hackers and crypto scammers, this was the year the online agents of chaos gained ground.

For its entire existence as a global medium, the internet's evolution has been caught in a tug of war, pulled by opposing forces: on one side, moderation and control; on the other, disruption and anarchy.

This year, the most prominent actors weighing in on the side of disruption were familiar faces: The reckless oligarchs, cybercriminals, scammers, and state-sponsored hackers who made the internet feel particularly dangerous in 2024 were, to some degree, the same forces destabilizing the online world in 2023. But perhaps more than in any other recent year, those agents of chaos seemed to persist in the face of opposition, to grow in their influence—and to win.

From Elon Musk's completed remake of X in his own tech-bro image to Trump's disinformation-fueled campaign, to Russia's ongoing cyberattacks against Ukraine, to China's relentless onslaught of digital intrusions and crypto scammers' global spread, the online experience of 2024 was messy, hazardous, and Hobbesian. And for the most part, the people who made it that way are poised to exert even more influence over the year to come.

As we do every year, WIRED has assembled a list of the most dangerous people, groups, and organizations on the internet. Here are our picks for 2024.

**Elon Musk**

After years of evolution from entrepreneur to edgelord, Musk seemed to reach his final form this year in the run-up to November's US election. Once a technologist with ambiguous politics who occasionally pursued public arguments against scuba divers, Musk now uses his megaphone of 200-million-plus followers on X, the social media platform he fully controls, to broadcast an unrelenting stream of anti-regulation, anti-immigrant, anti-transgender, anti-press, anti-progressive talking points. He's amplified and repeated disinformation, like claims after the disastrous damage done by Hurricanes Helene and Milton that the Federal Emergency Management Agency (FEMA) was hoarding supplies or had spent its budget on migrants instead of needy Americans. He's repeated debunked theories about voter fraud and immigrants swinging elections. In at least one case, he's even seemed to drop a reference that suggest support for the QAnon movement, which maintains bizarre theories about satanic pedophile rings that only Donald Trump can destroy.

Meanwhile, Musk continues to push his AI startup, xAI, toward one of the most no-holds-barred visions of what that technology can make possible, with little regard for safety or preventing its use for disinformation. The company this year launched new image-generation capabilities in its Grok tool that were immediately used to create images of copyrighted characters, celebrities, and political figures in compromising or sexual positions. Musk himself at one point posted an AI-generated deepfake of Kamala Harris that mocked her with her own voice—with no annotation that it was not authentic—that received 150 million views.

More than any particular political message or technology he's pushed, however, the danger Musk represents is simply that the richest man in the world can buy one of the internet's most vital media platforms, then use it, along with hundreds of millions of dollars in donations, to elect the president of his choosing and shape US policy. After Trump's election, Musk was rewarded with hundreds of billions more in net worth. The system, in other words, is working—for oligarchs like Elon Musk.

**Donald Trump**

For the next four years, Donald Trump will once again be the most powerful single person in the world. This year, he was just a very loud one. On social media platforms like X—where Musk reinstated Trump's account despite a 2021 ban following his incitement of the January 6 storming of the US Capitol—and Trump's own Truth Social, he lit fires with false claims that arguably helped fuel his path to political victory. Like Musk, he made and repeated falsehoods such as FEMA spending its budget on immigrants rather than hurricane victims, or that immigrants were stealing and eating pets. By converting Robert F. Kennedy Jr. from a third-party candidate to an endorsing ally, Trump also reciprocally endorsed RFK Jr.'s long-running stream of anti-vaccine misinformation, rhetoric that has led to childhood vaccine rates now dipping to a lower level than before the Covid-19 pandemic.

Once his second term in office begins, Trump is poised to use digital surveillance to carry out a highly disruptive and even vindictive agenda: He's promised mass deportations of millions of immigrants starting on day one of his administration, and he's vowed to target political opponents and journalists with prosecution. There's little doubt that Trump will top this list in 2025. But in 2024, his words alone represent a clear and present danger.

**Volt Typhoon**

In the cybersecurity world, the last months of 2024 have been dominated by warnings from public officials about a Chinese state-sponsored hacking group known as Salt Typhoon, which has penetrated at least eight telecoms, in some cases accessing the real-time calls and texts of Americans. But in the midst of that cyberespionage scandal, a different, far more dangerous digital threat from China still quietly looms: A Chinese state-sponsored group called Volt Typhoon spent much of 2024 continuing its stealthy campaign to breach US critical infrastructure facilities—not to spy on communications, but to prepare for a potential cyberattack. While headlines about Volt Typhoon have largely dissipated since it was first called out and named by Microsoft in May of 2023, officials warn that the group continues to “pre-position” itself inside of networks that appear to be chosen for maximum disruption, perhaps timed to a Chinese invasion of Taiwan. Given that Chinese head of state Xi Jinping has told his country's military to be prepared for that invasion by 2027, now is the time to head off the digital salient of what could be a world-shaking future war.

**Sandworm**

While Volt Typhoon prepares, Sandworm attacks. The Russian hacking group, a unit of the country's GRU military intelligence agency, has in fact carried out many of the most disruptive cyberattacks of the past decade. Those attacks—mostly in Ukraine—include at least three blackouts triggered by its hacking, the destructive NotPetya malware that spread around the globe and inflicted $10 billion in damage, and countless data-destroying breaches that the group has carried out since the beginning of Russia's full-scale invasion of Ukraine in 2022. In 2024, as Russia fought Ukraine to a stalemate or regained territory in the east of the country, Sandworm continued to project its power beyond that front: Security firm StrikeReady discovered Sandworm targeting Ukraine's energy sector again this fall, perhaps in preparation for another round of electrical utility hacking, either to carry out its own attacks or as reconnaissance for the Russian military's now-annual physical bombing of Ukraine's grid.

**Israeli Military and Intelligence**

Last year, WIRED named both the IDF and Hamas on this list, a nod to each side's use of the internet in its propaganda efforts in the war in Gaza following Hamas' October 7 attack. This year, with Israel's adversaries in that conflict like Hamas and Hezbollah significantly weakened and in retreat, it's the Israeli forces that remain on the offensive. Israel's military continues to use AI tooling to identify targets for bombs as its strikes have killed tens of thousands of Gazan civilians and leveled entire cities in the territory. Israeli missiles continue to intermittently knock out Gaza's communications infrastructure, destroying 80 percent of the country's top telecom's cell towers and leading to information blackouts amid the destruction and starvation of that now year-plus siege. Add to all of that a still-mysterious Israeli supply chain attack that hid lethal explosives in pagers and walkie-talkies in an effort to target Hezbollah operatives, which led to immediate distrust of all communications devices in the country, and Israel's government forces remain an internet apex predator by any definition.

**Black Cat/AlphV/RansomHub**

Ransomware in 2024 was, again, one of the most abhorrent forms of cybercrime to blight the internet. But few ransomware attacks in history have been quite as dangerous and damaging as the one that targeted UnitedHealthcare subsidiary Change Healthcare early this year, carried out by a ransomware group known as Black Cat or AlphV. Even after extracting a $22 million ransom from the company—a payment processor that handles around 40 percent of all health care insurance claims across the US—the hackers' disruption of Change's network continued to prevent the company from completing payments to pharmacies, clinics, health care practices, and hospitals across the country for weeks, causing some to even go out of business. Then, as if it hadn't inflicted enough chaos, AlphV ran off with Change's ransom money instead of sharing it with a group of hackers with whom it had partnered to infiltrate the company. That led the jilted hackers to share the data stolen from Change Healthcare with another, newer ransomware crew called RansomHub, which extorted the company a second time—an unprecedented health care cybersecurity debacle.

**The Com**

Even in an age of state-sponsored Chinese cyberspies, Russian hacker saboteurs, and ransomware gangs, nihilistic young hackers remain a constant in the darker corners of the internet. And few of those corners are as dark as the ones frequented by the Com. The loose movement of online trolls and criminals who operate under the Com banner in channels on Telegram and Discord, many just in their teens, engage in some of the most despicable digital crimes possible, from petty crypto theft and ransomware to sextortion, harassment, and the creation and trade of child sexual abuse material. This year, several members of a Com subgroup of ransomware hackers known as Scattered Spider were arrested, following their alleged high-profile 2023 attacks on companies including Caesar's Entertainment and MGM Resorts. But other members of the group are allegedly responsible for the serial breaches of well over a hundred customers of the cloud provider Snowflake. It's a safe bet that the Com will continue to serve as a haven for plenty more criminal acts to come.

**Data Brokers**

Once, privacy fears centered on government agencies like the FBI and NSA and their ability to carry out mass surveillance worldwide. Now, increasingly, we give away that same surveillance data en masse to companies you've never heard of. This year, it came to light that several data brokers collect and then sell access to Americans' highly granular location data pulled from their phones. Surveillance services like Babel Street's LocateX allegedly can—and do—track visitors to sensitive locations abortion clinic or mosques. A data broker called Near Intelligence left a vast cache of location data exposed online, revealing the movements of hundreds of visitors to sex trafficker Jeffrey Epstein's island in the Caribbean. Reporting on both companies has demonstrated how much private location data our devices leave behind as revelatory digital detritus, and how the possession of that data now extends far beyond government agencies to little-known firms with highly questionable privacy and security practices.

**Character.AI**

If 2023 was the year that AI tools future-shocked the internet with their seemingly abrupt rise to prominence, 2024 was the year that those tools became normalized, quietly settling into common use in spite of all their alleged flaws and ethical problems. Yet those issues are still there, and perhaps no startup better exemplifies them than Character.AI, an AI firm backed by $2.7 billion in investment from Google. According to lawsuits filed in Texas and Florida against the company, its chatbots have encouraged children to engage in self-harm and violence against their parents, and allegedly contributed to 14-year-old dying by suicide. Other chatbots hosted by the company have allegedly coached kids into developing eating disorders, role-playing as school shooters, and even seemed to be sexually grooming them. Despite repeatedly vowing to implement age restrictions, no meaningful age safeguards appear to have been added even now, according to news outlet Futurism. If this is the future of artificial intelligence, the AI era is going to be a dark age indeed.

**Crypto Scammers**

The crypto-based investment scams known as “pig butchering”—a term experts now say should be retired because it can further harm victims—pulled in a staggering $37 billion in 2023, and likely more in 2024. The victims of that explosively growing form of crimes aren't just those who fall for its scams and lose their life savings, but also many of the perpetrators of the scams themselves: As many as 200,000 people have been enslaved in compounds across Southeast Asia and forced to carry out the fraud schemes. In some cases, they've been kept in electrified shackles and faced threats of cattle prods and beatings from the gangs overseeing their work. This year, the dystopia those scammers have ushered in has begun to spread worldwide, with operations cropping up in the Middle East, Eastern Europe, Latin America, and West Africa. The targets of their fraud, of course, are even more global. Crypto scams have already become a top-tier form of cybercrime, and there's no end in sight to the expansion of this predatory underworld industry.

The Most Dangerous People on the Internet in 2024

An overview of incidents and news surrounding Artificial Intelligence in 2024.

A popular saying is: “To err is human, but to really foul things up you need a computer.”

Even though the saying is older than you might think, it did not come about earlier than the concept of artificial intelligence (AI).

And as long as we have been waiting for AI technology to become commonplace, if AI has taught us one thing this year, then it’s that when humans and AI cooperate, amazing things can happen. But amazing is not always positive.

There have been some incidents in the past year that have made many people even more afraid of AI than they already were.

We started off 2024 with a warning from the British National Cyber Security Centre (NCSC) telling us it expects AI to heighten the global ransomware threat.

A lot of AI related stories this year dealt with social media and other public sources that were scraped to train an AI model.

For example, X was accused of unlawfully using the personal data of 60 million+ users to train its AI called Grok. Underlining that fear, we saw a hoax go viral on Instagram Stories that told people they could stop Meta from harvesting content by copying and pasting some text.

Facebook had to admit that it scrapes the public photos, posts and other data from the accounts of Australian adult users to train its AI models, which no doubt contributed to Australia’s ban on social media for children under the age of 16.

As with many developing technologies, sometimes the race to stay ahead is more important than security. This was best demonstrated when an AI companion site called Muah.ai got breached and details of all its users’ fantasies were stolen. The hacker described the platform as “a handful of open-source projects duct-taped together.”

We also saw an AI supply-chain breach when a chatbot provider exposed 346,000 customer files, including ID documents, resumes, and medical records.

And if the accidents didn’t scare people off, there were also some outright scams targeting people that were eager to use some of the popular applications of AI. A free AI editor lured victims into installing an information stealer which came in both Windows and MacOS flavors.

We saw further refinement of an ongoing type of AI-supported scam known as deepfakes. Deepfakes are AI-generated realistic media, created with the aim of tricking people into thinking the content of the video or image actually happened. Deepfakes can be used in scams and in disinformation campaigns.

A deepfake of Elon Musk was named the internet’s biggest scammer as it tricked an 82-year-old into paying $690,000 through a series of transactions. And AI-generated deepfakes of celebrities, including Taylor Swift, led to calls for laws to make the creation of such images illegal.

Video aside, we reported on scammers using AI to fake the voices of loved ones to tell them they’ve been in an accident. Reportedly, with the advancements in technology, only one or two minutes of audio—perhaps taken from social media or other online sources—are needed to generate a convincing deepfake recording.

Voice recognition doesn’t always work the other way around though. Some AI models have trouble understanding spoken words. McDonalds ended its AI drive through order taker experiment with IBM after too many incidents, including customers getting 260 Chicken McNuggets or bacon added to their ice cream.

To sign off on a positive note, a mobile network operator is using AI in the battle against phone scammers. AI Granny Daisy uses several AI models that work together listening to what scammers have to say, and then responding in a lifelike manner to give the scammers the idea they are working on an “easy” target. Playing on the scammers’ biases about older people, Daisy usually acts as a chatty granny while at the same time wasting the scammers’ time that they can’t use to work on real victims.

What do you think? Do the negatives outweigh the positives when it comes to AI, or is it the other way round? Let us know in the comments section.

 2024 in AI: It&#8217;s changed the world, but it’s not all good 

The US water sector suffered a stream of cyberattacks over the past year and half, from a mix of cybercriminals, hacktivists, and nation-state hacking teams. Here's how the industry and ICS/OT security experts are working to better secure vulnerable drinking and wastewater utilities.

Source: Vyacheslav Lopatin via Alamy Stock Photo

The unprecedented wave of high-profile cyberattacks on US water utilities over the past year has just kept flowing.

In one incident, pro-Iranian hackers penetrated a Pittsburgh-area water utility's PLC and defaced the touchscreen with an anti-Israel message, forcing the utility to revert to manual control of its water pressure-regulation system. A water and wastewater operator for 500 North American communities temporarily severed connections between its IT and OT networks after ransomware infiltrated some back-end systems and exposed its customers' personal data. Customer-facing websites and the telecommunications network at the US's largest regulated water utility went dark after an October cyberattack.

Those were just some of the more chilling stories that have recently sparked fear over the security and physical safety of drinking water and wastewater systems. The cyberattacks have spurred warnings and security guidelines from the Cybersecurity and Infrastructure Security Agency (CISA), the White House, the FBI and the Office of the Director of National Intelligence (ODNI), the Environmental Protection Agency (EPA), and the Water ISAC (Information Sharing and Analysis Center).

Most of the attacks landed on the softest of targets, small water utilities without security expertise and resources, in mainly opportunistic attacks. Meanwhile, cyberattacks on large utilities like Veolia and American Water hit IT, not OT, systems — none of which actually disrupted water services. Overall, the cyberattacks on water appeared to be mainly about "poking around and eroding confidence," says Gus Serino, president of I&C Secure and a former process control engineer for the Massachusetts Water Resources Authority.

Related:IoT Cloud Cracked by 'Open Sesame' Over-the-Air Attack

The race is now on to secure the water sector — especially the smaller more vulnerable utilities — from further cyberattacks. Many larger water utilities already have been "stepping up their game" in securing their OT networks, and others started building out their security infrastructures years ago, notes Dale Peterson, president of ICS/OT security consultancy Digital Bond. "My first client in 2000 was a water utility," he recalls. "Some \[large utilities\] have been working on this for a very long time."

The challenge lies in securing smaller utilities, without overprescribing them with unnecessary and high-overhead security infrastructure. Tools that require expertise and overhead are a nonstarter at sites where there isn't even dedicated IT support, much less cyber know-how. Peterson argues that government recommendations for sophisticated security monitoring systems are just plain overkill for most small utilities. These tiny outfits have bigger and more tangible priorities, he says, like replacing aging or damaged pipes in their physical infrastructure.

Related:Frenos Takes Home the Prize at 2024 DataTribe Challenge

**ICS/OT Cyber-Risk: Something in the Water?**

Like other ICS/OT industries, water utilities of all sizes have been outfitting once-isolated programmable logic controller (PLC) systems and OT equipment with remote access, so operators can more efficiently monitor and manage plants from afar — to control water pumps or check alarms, for instance. That has put traditionally isolated equipment at risk.

"They are starting and stopping pumps, setting changes, responding to alarms or failures \[in\] a system. They remote in to look at SCADA/HMI screens to see what's wrong or to take corrective action," explains I&C Secure's Serino, who works closely with water utilities. He says it's rare for those systems to be properly segmented, and VPNs are "not always" used for secure remote access.

PLC vendors such as Siemens are increasingly building security features into their devices, but water plants don't typically run this next-generation gear.

"I have yet to see any secure PLCs deployed" in smaller water sites, Serino says. "Even if there are new PLCs, their security features are not 'on.' So if you \[an attacker\] can get in and get access to the device on that network, you can do whatever you are capable of doing to a PLC."

Related:20% of Industrial Manufacturers Are Using Network Security as a First Line of Defense

Because many ICS/OT systems integrators that install OT systems traditionally do not also set up security for the equipment and software they install in water utility networks, these networks often are left exposed, with open ports or default credentials. "We need to help integrators making \[and installing\] SCADA equipment for these utilities make sure they are secured" for utilities, says Chris Sistrunk, technical leader of Google Cloud Mandiant's ICS/OT consulting practice and a former senior engineer at Entergy. 

Default credentials are one of the most common security weaknesses found in OT networks, as well as industrial devices sitting exposed on the public Internet. The Iranian-based Cyber Av3ngers hacking group easily broke into the Israeli-made Unitronics Vision Series PLCs at the Aliquippa Municipal Water Authority plant (as well as other water utilities and organizations), merely by logging in with the PLCs' easily discoverable factory-setting credentials.

The good news is that some major systems integrators such as Black & Veatch are working with large water utilities on building security into their new OT installations. Ian Bramson, vice president of global industrial cybersecurity at Black & Veatch, says his team works with utilities that consider security a physical safety issue. "They are looking to build \[security\] in and not bolt it in," he explains, to prevent any physical safety consequences from poor cybersecurity security controls.

**Cybersecurity Cleanup for Water**

Meanwhile, there are plenty of free cybersecurity resources for resource-strapped water utilities, including the Water-ISAC's top 12 Security Fundamentals and the American Waterworks Association (AWWA)'s free security assessment tool for water utilities that helps them map their environments to the NIST Cybersecurity Framework. Kevin Morley, manager of federal relations for the AWWA and a utility cybersecurity expert, says the tool includes a survey of the utility's technology and then provides a priority list of the security controls the utility should adopt and address, focusing on risk and resilience.

"It creates a heat map" of where the utility's security weaknesses and risks lie, he says. That helps arm a utility with a cybersecurity business case in the budget process. "They can go to leadership and say 'we did this analysis and this is what we found,'" he explains.

There's also a new cyber volunteer program that assists rural water utilities. The National Rural Water Association recently teamed up with DEF CON to match volunteer cybersecurity experts to utilities in need of cyber help. Six utilities in Utah, Vermont, Indiana, and Oregon encompass the initial cohort for the bespoke DEF CON Franklin project, where volunteer ICS/OT security experts will assess their security posture and help them secure and protect their OT systems from cyber threats.

Mandiant's Sistrunk, who serves as a volunteer cyber expert for some small utilities, points to three main and basic security steps small (and large) utilities should take to improve their defenses: enact multifactor authentication, especially for remote access to OT systems; store backups offline or with a trusted third party; and have a written response plan for who to call when a cyberattack hits.

Serino recommends a firewall as well. "Get a firewall if you don't have one, and have it configured and locked down to control data flows in and out," he says. It's common for firewalls at a water utility to be misconfigured and left wide open to outgoing traffic, he notes: "If an adversary can get in, they could establish their own persistence and command and control, so hardening up the perimeter" for both outgoing and ingoing traffic is important.

He also recommends centralized logging of OT systems, especially for larger water utilities with the resources to support logging and detection operations: "Have the ability to detect a problem so you can stop it before it reaches the end goal of causing an impact."

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Hackers Are Hot for Water Utilities

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'variant' HTTP POST parameter called by the clearProjectConfigurationAjax.php script.

Title: ABB Cylon Aspect 3.08.02 (clearProjectConfigurationAjax.php) Remote Code Execution  
Advisory ID: ZSL-2024-5888  
Type: Local/Remote  
Impact: System Access, DoS, Security Bypass  
Risk: (5/5)  
Release Date: 27.12.2024

**Summary**

ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices.

**Description**

The ABB BMS/BAS controller suffers from an authenticated blind OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'variant' HTTP POST parameter called by the clearProjectConfigurationAjax.php script.

**Vendor**

ABB Ltd. - https://www.global.abb

**Affected Version**

NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
Firmware: <=3.08.02

**Tested On**

GNU/Linux 3.15.10 (armv7l)  
GNU/Linux 3.10.0 (x86\_64)  
GNU/Linux 2.6.32 (x86\_64)  
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
PHP/7.3.11  
PHP/5.6.30  
PHP/5.4.16  
PHP/4.4.8  
PHP/5.3.3  
AspectFT Automation Application Server  
lighttpd/1.4.32  
lighttpd/1.4.18  
Apache/2.2.15 (CentOS)  
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86\_64)  
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)  
ErgoTech MIX Deployment Server 2.0.0

**Vendor Status**

\[21.04.2024\] Vulnerability discovered.  
\[22.04.2024\] Vendor contacted.  
\[22.04.2024\] Vendor responds.  
\[02.05.2024\] Working with the vendor.  
\[03.12.2024\] Vendor releases version 3.08.03 to address this issue.  
\[27.12.2024\] Coordinated public security advisory released.

**PoC**

abb\_aspect\_rce18.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk\>

**References**

\[1\] https://search.abb.com/library/Download.aspx?DocumentID=9AKK108469A7497&LanguageCode=en&DocumentPartId=&Action=Launch  
\[2\] https://packetstorm.news/files/id/183300/

**Changelog**

\[27.12.2024\] - Initial release  
\[30.12.2024\] - Added reference \[2\]

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: lab@zeroscience.mk

Tag

#intel