KEY SUMMARY POINTS Krispy Kreme, the beloved doughnut chain, disclosed a data breach on December 11, 2024, in…

****KEY SUMMARY POINTS****

*   **Krispy Kreme Data Breach:** The notorious Play ransomware group has claimed responsibility for the data breach at Krispy Kreme and is threatening to leak the data within two days.
*   **Threatening to Leak Data:** Hackers threaten to leak sensitive company data within two days.
*   **Play Ransomware and Doube Extortion:** The group uses a double-extortion model, exfiltrating and encrypting data.
*   **Play Ransomware Does Not Play:** Play Ransomware has a history of targeting various global sectors.
*   **International Links:** Recent reports link the group to North Korean state-backed hackers.

Krispy Kreme, the beloved doughnut chain, **disclosed a data breach** on December 11, 2024, in which its operations across the United States were disrupted. At the time, the identity of the attackers was unknown. However, Hackread.com can now exclusively reveal that the Play Ransomware group, also known as PlayCrypt, has claimed responsibility for the breach.

The Play Ransomware group made the announcement earlier today, December 19, via its **dark web** leak site. While Krispy Kreme has not disclosed whether any data was stolen or the nature of such data, the ransomware group is threatening to release sensitive internal company information within two days. The data reportedly includes the following:

*   **IDs**
*   **Client documents**
*   **payroll information**
*   **Financial information**
*   **Budgeting information**
*   **Accounting information**
*   **Tax-related information**
*   **Private and personal confidential data**

Screenshot from Play ransomware group’s dark web leak site (Credit: Hackread.com)

For context, the Play Ransomware group, which emerged in June 2022, specializes in targeting a wide range of sectors, including business, government, critical infrastructure, healthcare, and media. Their attacks have spanned across North America, South America, and Europe, making them a significant threat to the **cybersecurity infrastructure**.

The Play Ransomware group uses a double-extortion model, exfiltrating data before encrypting systems and threatening to release the stolen information if their ransom demands are not met. One of their most notable attacks occurred in June 2023, targeting Swiss government entities and resulting in data breaches that impacted hundreds of thousands of individuals.

**In July 2024**, Play Ransomware introduced a new variant designed to target Linux ESXi environments. However, the most alarming development came **in October 2024**, when a report from Palo Alto Networks’ Unit 42 revealed that the ransomware group was collaborating with North Korean government-backed hackers to carry out global attacks.

The Play Ransomware attack on Krispy Kreme is another reminder of the growing complexity and reach of cybercriminal groups. With their history of targeting critical sectors and recent collaboration with state-backed hackers, the group has now become a serious threat to businesses worldwide.

1.  **Aussie Food Giant Patties Foods Leaks Trove of Data**
2.  **Chowbus food delivery service suffers breach; data stolen**
3.  **FBI warns of ransomware attacks on Food, Agriculture sectors**
4.  **Dunkin Donuts Perks loyalty data breach: Change your password**
5.  **Hacker Claims Cisco Breach, Selling Stolen Data from Major Firms**

Play Ransomware Claims Krispy Kreme Breach, Threatens Data Leak

Criminals are luring victims looking to download software and tricking them into running a malicious command.

More and more, threat actors are leveraging the browser to deliver malware in ways that can evade detection from antivirus programs. Social engineering is a core part of these schemes and the tricks we see are sometimes very clever.

Case in point, there has been an increase in attacks that involve copying a malicious command into the clipboard, only to be later pasted and executed by the victims themselves. Who would have though that copy/paste could be so dangerous?

The new campaign we observed uses a a combination of malicious ads and decoy pages for software brands, followed by a fake Cloudflare notification that instructs users to manually run a few key combinations. Unbeknownst to them, they are actually executing PowerShell code that retrieves and installs malware.

**The discovery**

Our investigation into this campaign started from a suspicious ad for ‘notepad’ while performing a Google search. Such search queries have been a hot spot for criminals who want to lure victims that are looking to download programs onto their computer.

Based on previous evidence, criminals are tricking victims into visiting a lookalike site with the goal of downloading malware. In this case, the first part was true, but what unfolded next was new to us.

When we clicked the Download button, we were redirected to a new page that appeared to be Cloudflare asking us to “_verify you are human by completing the action below_“. This type of message is more and more common, as site owners try to prevent bots and other unwanted traffic.

But rather than having to solve a CAPTCHA, we saw another unexpected message: _“Your browser does not support correct offline display of this document. Please follow the instructions below using the “Fix it” button_“.

**Powerful technique**

This technique is actually not new in itself, and similar variants have been seen both via email spam and compromised websites before. It is sometimes referred to as ClearFake or ClickFix, and requires users to perform a manual action to execute a malicious PowerShell command.

Clicking on the ‘Fix It’ button copies that command into memory (the machine’s clipboard). Of course the user has no idea what it is, and may follow the instructions that ask to press the Windows and ‘R’ key to open the Run command dialog. CTRL+V pastes that command and Enter executes it.

Once the code runs, it will download a file from a remote domain (_topsportracing\[.\]com_) within the script. We tested that payload in a sandbox and observed immediate fingerprinting:

C:\\Users\\Admin\\AppData\\Local\\Temp\\10.exe  
    C:\\Windows\\SYSTEM32\\systeminfo.exe  
        C:\\Windows\\system32\\cmd.exe  
            C:\\Windows\\system32\\cmd.exe /c "wmic computersystem get manufacturer"

The information is then sent back to a command and control server (_peter-secrets-diana-yukon\[.\]trycloudflare\[.\]com_) abusing Cloudflare tunnels:

The use of Cloudflare tunnels by criminals was previously reported by Proofpoint to deliver RATs. We weren’t able to observe a final payload but it is likely of a similar kind, perhaps an infostealer.

**Campaign targets several brands**

This was not an isolated campaign for Notepad, as we soon found additional sites with a similar lure. There was a Microsoft Teams landing page which used exactly the same trick, followed by others such as FileZilla, UltraViewer, CutePDF and Advanced IP Scanner.

Oddly, we saw a lure for a cruise booking site. We have no idea how that came to be, unless the criminals agree that everyone needs a vacation sometimes.

**Overlap with other campaigns**

As mentioned previously, this type of social engineering attack is getting more and more popular. Researchers are tracking several different families under different names such as the original SocGholish.

Interestingly, the same domain (_topsportracing\[.\]com_) we saw in the malicious PowerShell command for Notepad++ was also used recently in another campaign known as #KongTuke:

As these schemes are being increasingly used by criminals, it is important to be aware of the processes involved. The Windows key and the letter ‘R’ pressed together open the Run dialog box. This is not something that most users will ever need to do, so always think carefully whenever you are instructed to perform this.

Malwarebytes customers are protected against this attack via our web protection engine for both the malicious sites and PowerShell command.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malicious domains

notepad-plus-plus.bonuscos\[.\]com  
microsoft.team-chaats\[.\]com  
cute-pdf\[.\]com  
ultra-viewer\[.\]com  
globalnetprotect\[.\]com  
sunsetsailcruises\[.\]com  
jam-softwere\[.\]com  
advanceipscaner\[.\]com  
filezila-project\[.\]com  
vape-wholesale-usa\[.\]com

Servers used before Cloudflare proxy

185.106.94\[.\]190  
89.31.143\[.\]90  
94.156.177\[.\]6  
141.8.192\[.\]93

Malware download URLs

hxxp\[://\]topsportracing\[.\]com/wpnot21  
hxxp\[://\]topsportracing\[.\]com/wp-s2  
hxxp\[://\]topsportracing\[.\]com/wp-s3  
hxxp\[://\]topsportracing\[.\]com/wp-25  
hxxp\[://\]chessive\[.\]com/10\[.\]exe  
hxxp\[://\]212\[.\]34\[.\]130\[.\]110/1\[.\]e

Malware C2

peter-secrets-diana-yukon\[.\]trycloudflare\[.\]com

 &#8216;Fix It&#8217; social-engineering scheme impersonates several brands 

Fortinet has patched CVE-2023-34990 in its Wireless LAN Manager (FortiWLM), which combined with CVE-2023-48782 could allow for unauthenticated remote code execution (RCE) and the ability to read all log files.

Source: Konstantin Nechaev via Alamy Stock Photo

NEWS BRIEF

Fortinet has finally patched a critical security vulnerability in its Wireless LAN Manager (FortiWLM) that could allow unauthenticated sensitive information disclosure. And, when chained with another issue, it could lead to remote code execution (RCE), a researcher warned.

The bug (CVE-2023-34990, CVSS 9.6) was first disclosed in March, when it was described as an "unauthenticated limited file read vulnerability" without a CVE.

"This issue results from the lack of input validation on request parameters allowing an attacker to traverse directories and read any log file on the system," Horizon3.ai security researcher Zach Hanley, who reported the bug to Fortinet, noted in March. He has confirmed to Dark Reading that the bug patched this week is the same issue.

He added, "Luckily for an attacker, the FortiWLM has very verbose logs — and logs the session ID of all authenticated users. Abusing the above arbitrary log file read, an attacker can now obtain the session ID of a user and login and also abuse authenticated endpoints."

NIST's National Vulnerability Database (NVD) has noted that the flaw can also be used to "execute unauthorized code or commands via specially crafted Web requests" — thanks to the access it provides to those authenticated endpoints.

The bug affects FortiWLM versions 8.6.0 through 8.6.5 (fixed in 8.6.6 or above) and versions 8.5.0 through 8.5.4 (fixed in 8.5.5 or above).

**Combining Fortinet Vulnerabilities to Achieve RCE**

Hanley back in March flagged a potential exploit chain as well: When CVE-2023-34990 is combined with an authenticated command-injection bug that Fortinet patched last year (CVE-2023-48782, CVSS 8.8), it becomes another recipe for RCE.

This second issue allows an attacker who has used CVE-2023-34990 to gain access to an authenticated endpoint to, from there, inject a crafted malicious string in a request to the /ems/cgi-bin/ezrf\_switches.cgi endpoint that will be executed with root privileges.

"Combining both the unauthenticated arbitrary log file read and this authenticated command injection, an unauthenticated attacker can obtain remote code execution in the context of root," Hanley explained. "This endpoint is accessible for both low privilege users and admins."

Admins should patch the Fortinet appliances ASAP, given the vendor's status as a most-favored cyberattack target.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Fortinet Addresses Unpatched Critical RCE Vector

In the last newsletter of the year, Thorsten recalls his tech-savvy gift to his family and how we can all incorporate cybersecurity protections this holiday season.

Thursday, December 19, 2024 14:02

Welcome to the final Threat Source newsletter of 2024. 

Watching "Die Hard" during the Christmas season has become a widely recognized tradition for many, despite ongoing debates about its classification as a Christmas movie. I know it isn't everyone's cup of tea. Whether you like the movie or not, let me share a story about what didn't quite go as planned in my family last year.  

When  some celebrities had their social media accounts compromised, I saw it as the perfect opportunity to introduce my family to the world of multi-factor authentication (MFA) for their online accounts. Our home IT setup is diverse— With Linux, Macs, Windows; Androids, iOS, we needed something cross-platform. Also, we needed a user-friendly solution as we have both standard users and IT experts (never underestimate your users). From my professional standpoint, I decided to go “all in” with hardware tokens - they work cross platform and "survive" one or the other OS installs from scratch. Providing two for each person was mandatory in case one got lost, which had happened to me already. So it wasn't a cheap exercise. In my defense, this was before the side-channel attack EUCLEAK was discovered, which has since expanded to affect more products as noted in the first release. 

In the spirit of John McClane : “Now I know what a TV dinner feels like.” 

The kids found the gift "boring" and almost a year later, the adoption rate is still only 30%. Fortunately, my wife had the foresight to prepare real presents for the family, saving Christmas Eve from being a "bad guys win" scenario. (Only John Thor can drive somebody that crazy.) 

I share this anecdote not to discourage you, but to help you avoid making the same mistake and risking your celebrations. Unless everyone gathered around the Christmas tree is an infosec professional, it might not be the time to go "Yippee-ki-yay Mr Falcon" with tech gifts.  

However, spending time with loved ones is a great opportunity to discuss the trends and importance of cybersecurity. We've been highlighting compromised credentials for a long time, as seen in our previous posts \[here\], \[here\], \[here\] and \[here\]. For the fourth consecutive time in over a year, the most observed means of gaining initial access was the use of valid accounts, making it clear identity-based attacks are becoming more prevalent, and wont be gone anytime soon. 

 Advocate for the use of a password managers—there are paid versions with family plans on one end, and excellent open-source alternatives on the other. Avoid storing credentials in browsers, as they can be extracted by info-stealers. Consider using passkeys where possible. According to the fido alliance, more than 20% of the world's top 100 websites support passkeys already. If passkeys are not yet enabled for one of your services? Any MFA is better than none. Even using "just" TOTP in a software container is a significant improvement over just a password. 

But it's not just about enabling MFA. As Martin wrote last week, we need to close the gap by communicating and understanding the the threat landscape. When it comes to stolen credentials, share resources like https://haveibeenpwned.com/ or https://sec.hpi.de/ilc/?lang=en with your loved ones so they can check if their email has been part of a breach.   

If you decide not to bother your friends & famliy (though I strongly believe Mbappe, Sweeny and Odenkirk would have preferred a more secure account) with Account/Password Hygiene, there are some more work related recommendations in Hazel’s “How are attackers trying to bypass MFA” 

Whichever is your idea of Christmas, then, like Argyle said, "I gotta be here for New Year's!"  

We look forward to seeing you in 2025!   

**The one big thing**

At the time of writing, our Vulnerability Research Team Disclosed 207 Vulnerabilities, and had another 93 reported to the respective Vendor in 2024.  Di you know  Talos has a team which investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do? Every day, they try to find vulnerabilities that have not yet been discovered, and then work to provide a fix for those before a zero-day threat could ever be executed. 

**Why do I care? **

We see threat actors exploiting known vulnerabilities constantly. Sometimes those CVEs are Years old.  

**So now what? **

Maybe you want to check for some CVEs or conduct a network security assessments.   
You can our team’s reports,roundups,spotlights and deep dives on our blog. 

**Top security headlines of the week **

 Blackhat Europe 2024 took place Dec 9-12 in London, UK. Loaded with a lot of interesting Sessions, my favorites are “Vulnerabilities in the eSIM download protocol” and “Over the Air: Compromise of Modern Volkswagen Group Vehicles” both showing how far an attack surface can possibly extend.  

Germany's Federal Office for Information Security (BSI) says it blocked communication between appr. 30.000 Android IoT Devices which were sold with BadBox malware preinstalled, and their command and control (C2) infrastructure by sinkholing DNS queries (Bleeping Computer)  

Law enforcement agencies worldwide disrupted a holiday tradition for cybercriminals: launching Distributed Denial-of-Service (DDoS) attacks. Booter and stresser websites were taken down, administrators were arrested and over 300 users were identified for planned operational activities. (Europool) 

The Willow chip is not capable of breaking modern cryptography,” Google’s director of quantum tells The Verge.

**Can’t get enough Talos? **

*   The evolution and abuse of proxy networks 
*   Microsoft Patch Tuesday for December 2024 contains four critical vulnerabilities 

**Upcoming events where you can find Talos **

  Cisco Live EMEA (February 9-14, 2025) 

Amsterdam, Netherlands 

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256:**873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**MD5:** d86808f6e519b5ce79b83b99dfb9294d    
**VirusTotal:**  
https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f   
**Typical Filename:** n/a   
**Claimed Product:** n/a    
**Detection Name:** Win32.Trojan-Stealer.Petef.FPSKK8  

**SHA256:**9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**VirusTotal:**  
https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**Typical Filename:** VID001.exe    
**Claimed Product:** n/a    
**Detection Name:** Win.Worm.Bitmin-9847045-0 

 **SHA 256:**  
7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86    
**VirusTotal:** https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**Typical Filename:** endpoint.query    
**Claimed Product:** Endpoint-Collector    
**Detection Name:** W32.File.MalParent  

 **SHA256:**47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**MD5:** 71fea034b422e4a17ebb06022532fdde   
**VirusTotal:** https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
**Typical Filename:** VID001.exe   
**Claimed Product:** n/a    
**Detection Name:** Coinminer:MBT.26mw.in14.Talos 

 **SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:**  
7bdbd180c081fa63ca94f9c22c457376    
**VirusTotal:** https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91   
**Typical Filename:** IMG001.exe    
**Claimed Product:** N/A     
**Detection Name:** Trojan/Win32.CoinMiner.R174018

Welcome to the party, pal!

Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader.  
These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF readers on the market. 
The vulnerabilities

Thursday, December 19, 2024 13:53

Cisco Talos’ Vulnerability Research team recently disclosed three out-of-bounds read vulnerabilities in Adobe Acrobat Reader, and two use-after-free vulnerabilities in Foxit Reader.  

These vulnerabilities exist in Adobe Acrobat Reader and Foxit Reader, two of the most popular and feature-rich PDF readers on the market. 

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. Adobe's patched this in version 24.005.20320, and Foxit's patch appears in PDF Editor version 12.1.9/11.2.12.

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.  

**Out-of-bounds read Adobe Acrobat Reader Vulnerabilities **

_Discovered by  KPC._  

Specially crafted font files embedded into a PDF can trigger out-of-bounds memory reads in TALOS-2024-2076 (CVE-2024-49534), TALOS-2024-2070 (CVE-2024-49533), and TALOS-2024-2064 (CVE-2024-49532), which could lead to the disclosure of sensitive information and further exploitation. An attacker must trick the user into opening a malicious file to trigger these vulnerabilities. 

**Foxit object use-after-free vulnerabilities **

_Discovered by KPC._ 

Two use-after-free vulnerabilities exist in the way Foxit Reader handles certain objects. TALOS-2024-2093 (CVE-2024-49576) and TALOS-2024-2094 (CVE-2024-47810) can be triggered by malicious JavaScript code in a PDF file. An attack needs to either trick a user into opening the malicious file, or the user must navigate to a maliciously crafted website while the Foxit browser extension is enabled. This vulnerability can lead to memory corruption and result in arbitrary code execution.

Acrobat out-of-bounds and Foxit use-after-free PDF reader vulnerabilities found

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-g5vr-rgqm-vf78: Spring Framework Path Traversal vulnerability

Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML.
 
The attacks involves the modification of DOCTYPE declaration in  XML configuration files.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-6v67-2wr5-gvf4: QOS.CH logback-core Server-Side Request Forgery vulnerability

A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn't enough to fix it.

Source: ZUMA Press, Inc. via Alamy Stock Photo

A critical, stubborn new vulnerability in Apache Struts 2 may be under active exploitation already, and fixing it isn't as simple as downloading a patch.

Struts 2 is an open source framework for building Java applications. Though long past its prime, Struts 2 remains common in older legacy systems across industries. In fact, its prevalence combined with its agedness is what makes its newly discovered vulnerability — CVE-2024-53677, CVSS 9.5 — so tricky. As its components have withered, and newer technologies and security practices have moved on, fixing any newly arising issues like this can require more than just a standard patch. 

"The risk lies in the fact that older applications are less likely to be integrated with a modern CI/CD pipeline," explains Chris Wysopal, chief security evangelist at Veracode. "As a result, updating the Struts 2 library, building and deploying a new version of a vulnerable application requires more manual effort and takes significantly longer. This significant effort will result in a longer window of vulnerability, during which attackers may exploit and take advantage of this weakness."

Wysopal assesses, "It is likely that we will see the exploitation of this vulnerability for weeks, as organizations find and fix all instances of Struts 2 usage."

Related:Delinea Joins CVE Numbering Authority Program

**RCE Bug in Apache Struts 2**

This same time last year, nearly to the day, a Struts 2 vulnerability with a "critical" 9.8 score in the Common Vulnerability Scoring System (CVSS) was disclosed to the public. CVE-2023-50164 resulted from attackers' ability to manipulate file upload parameters, opening the door to path traversal. Under certain conditions an attacker could upload a specially crafted malicious script in order to achieve remote code execution (RCE) on a server.

CVE-2024-53677 is CVE-2023-50164 regen. It, too, lies in Struts 2's File Upload Interceptor component, responsible for handling file uploads, and enables RCE via path traversal. In a blog post, Johannes Ullrich of the SANS Institute speculated that an inadequate patch for CVE-2023-50164 led to this latest déjà vu.

He also observed active exploitation attempts from one IP address, which utilized a public proof-of-concept (PoC). The attacker played with the vulnerability by uploading "a one-liner script that is supposed to return 'Apache Struts.' Next, the attacker attempts to find the uploaded script. The exploit attempt is very close to the original PoC. Since then, a slightly improved exploit has been uploaded to the same GitHub repository," he wrote.

Related:Does Desktop AI Come With a Side of Risk?

Typically in situations such as this, organizations are advised to apply patches as soon as possible. In the case of CVE-2024-53677, the story isn't quite as simple.

Organizations do need to upgrade to the latest version of Struts, 6.7.0 — or, at least, 6.4.0, released in the wake of CVE-2023-50164, which deprecated the File Upload Interceptor at issue. The fix isn't backward compatible, however, Apache noted in its security bulletin. IT teams will need to migrate to the newfangled Action File Upload Interceptor, and adjust how their existing applications handle file uploads by diligently rewriting their code to make use of it.

"It's not a simple version bump," warns Saeed Abbasi, manager of vulnerability research at Qualys. "It requires code rewrites, configuration adjustments, and can break existing logic and dependencies. In complex environments, removing all traces of the legacy interceptor poses significant challenges due to intricate plug-in chains and layered frameworks. This complexity is further compounded by the need for extensive regression testing."

**The Potential Scope of Impact for CVE-2024-53677**

The national centers for cybersecurity in Australia, Belgium, Canada, Singapore, and the UK have all released urgent security warnings regarding CVE-2024-53677. That this issue has attracted so much attention may not be obvious at first, since Struts 2 is so rarely used by developers today. It does, however, live on in legacy systems worldwide.

Related:Citizen Development Moves Too Fast for Its Own Good

In the 2000s, Struts 2 was king among Java Web frameworks. By 2007 it was receiving nearly 350,000 downloads per month. Its webpage received millions of monthly visits; even its newsletter had thousands of subscribers. Today, Wysopal says, "It no longer has mainstream appeal and is rarely chosen for new projects. Its presence is more an artifact of historical adoption rather than active popularity."

"Its 'kingdom' is confined to those stable, older applications in conservative industries — particularly finance, insurance, government, and large-scale manufacturing or logistics — often in organizations and regions that are regulated and less likely to modernize," he says. Case in point: a Struts 2 vulnerability was at the heart of the infamous 2017 Equifax breach.

Just how common is Struts 2 in legacy systems in 2024? Abbasi reports that within the first 24 hours following the disclosure of CVE-2024-53677, Qualys "observed tens of thousands of vulnerable instances, reflecting the breadth and urgency of the challenge."

To his view, "The persistence of Struts 2 in critical systems, long after more secure frameworks have emerged, illustrates the ongoing struggle enterprises face with technical debt. Many organizations run versions of Struts past their end-of-life, without proper planning which compounds the impact of new vulnerabilities. Enterprises need solid attack surface management, along with lifecycle management strategies, ensuring that critical frameworks are regularly updated, and deprecated components are swiftly phased out."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Orgs Scramble to Fix Actively Exploited Bug in Apache Struts 2

Non-human identities authenticate machine-to-machine communication. The big challenge now is to secure their elements and processes — before attackers can intercept.

Source: Poptika via Shutterstock

When industrial automation giant Schneider Electric revealed last month that ransomware gang Hellcat stole 40GB of sensitive data, the attackers acknowledged using exposed credentials to breach Schneider's Jira server. 

Once inside the company's project management system, attackers used the miniOrange REST API, a widely used authentication plug-in, to exfiltrate 400,000 rows of data, including 75,000 email addresses, employee names, and customer records. 

What this and dozens of other incidents have in common is that the attackers exploited vulnerabilities in non-human identities (NHIs). Unlike human identities used for authentication by individuals via identity and access management (IAM) credentials, NHIs, also known as machine identities or service accounts, are used by applications, services, and Internet of Things (IoT) installations for authenticating machine-to-machine communications. 

Predictably, investors are funding startups with products that govern and mitigate NHI risk, while more established companies are adding such capabilities, either internally or via acquisition. 

Astrix Security, a prominent startup that says it created the term NHI, earlier this month raised $45 million in Series B funding led by Menlo Ventures and artificial intelligence (AI) platform provider Anthropic, bringing its total funding to $85 million since its founding in 2021.

"A year ago, the term NHI did not exist, and now everyone is talking about them," says Astrix co-founder and CEO Alon Jackson.

Astrix describes its platform as a suite of identity security posture management (ISPM) tools, including non-human identity threat detection and response, NHI life cycle management, auto-remediation, and secrets scanning. 

**Where NHIs Are Vulnerable**

Typical NHIs include API keys, bots, OAuth tokens, database credentials, certificates, and secrets. As organizations have accelerated use of cloud-native applications, IoT infrastructure, and, most notably, AI-based automation during the past two years, NHIs have become a more alarming threat.

Unlike IAM and privilege access management (PAM), few organizations centrally manage NHIs, and there's greater likelihood that they have excessive permissions without expiration dates.

"There are numerous issues with NHIs, including unencrypted credentials, having a full inventory of NHI accounts, inactive accounts, and lack of account ownership," explained Omdia senior analyst Don Tait in a November report.  

Many CISOs are just learning the implications of NHIs. A recent Cloud Security Alliance (CSA) survey of over 800 security and IT professionals found that 24% plan to invest in NHI security during the next six months, and 36% will do so within a year.

More than half of those surveyed believe they may have experienced an incident related to NHIs. 

Astrix is not the only company with NHI discovery and remediation tools attracting investors. Among those that raised Series A funding in 2024 include Aembit ($25 million), Entro Security ($18 million), and Oasis Security ($35 million), which recently discovered the MFA bypass flaw Microsoft Azure. 

The most prominent bet on protecting NHIs was placed in May when CyberArk paid $1.54 billion to acquire machine identity management provider Venafi.

"As NHI continues to evolve, so are the notable vendors in this space," says Christopher Steffen, VP of research at Enterprise Management Associates (EMA). 

Meanwhile, AppSec providers are adding NHI protection capabilities to their offerings. GitGuardian, known for detecting and remediating leaked secrets in GitHub and other source code repositories, recently launched GitGuardian NHI Governance. GitGuardian officials describe it as an addition to its existing platform that will provide visibility and control of NHI life cycles and their associated secrets. 

GitGuardian's initial release will integrate with five key secrets management platforms: HashiCorp Vault, CyberArk Conjur, AWS Secrets Manager, Google Cloud Secrets Manager, and Azure Key Vault.

**Role of NHI Security **

Failure to adequately rotate credentials, overprivileged accounts or identities, and insufficient monitoring and logging are among the common causes of incidents involving compromised NHIs, the CSA report indicates.

"To claim their identity, machines authenticate via secrets like API keys, OAuth tokens, database credentials, usernames and passwords, and certificates," noted GitGuardian product manager Soudanya Ain in a blog post. "They've become the number one vector for a successful attack, frequently overlooked."

Besides the Schneider incident, the NHI Management Group counts over 40 breaches tied to compromised non-human identity credentials during the past two years, including:

*   Microsoft's Midnight Blizzard, which enabled the attackers to access and breach a legacy test OAuth application with elevated privileges.
    
*   The Snowflake breach, which compromised its various customers, including Santander Bank and Ticketmaster.
    
*   Last summer's GitHub extortion attacks by threat actors who used malicious OAuth apps to breach trusted third-party integrations.
    
*   A breach by an attacker who stole secrets, including authentication tokens from the popular Hugging Face open source repository of APIs and other resources for developers who build AI models. 
    

Next year, the risk from compromised NHIs is expected to grow, as is their proportion to human identities, as AI automates more business processes. Omdia's Tait noted industry estimates of the current ratio of NHIs to human identities is 50:1.

"That figure is only likely to increase going forward," he wrote. 

"We do expect NHI growth is going to accelerate further," added Maxine Holt, senior director of Omdia's cybersecurity practice, speaking during a December webinar presented by Dark Reading.

Holt warned that ungoverned NHIs will further raise the threat landscape.

"These identities do require management to ensure secure communication between different services and to prevent unauthorized access and facilitate accountability," she said. "Of course, we need the audit trail there as well. We believe that it's really important to recognize non-human identities as a vital link in the cyber threat chain."

According to the CSA survey, 69% said they are concerned about NHIs as a threat vector, while 38% reported that their organizations have low or no visibility to third parties connected by OAuth apps. Only 20% have a formal process for revoking API keys, and even fewer have procedures for rotating them. 

"There's definitely that trend toward understanding NHI security better and addressing them," said John Yeoh, CSA's global VP of research, at a public meeting in September. "We only expect the NHI field to explode and get out further."

**Blending NHIs and Human Identities **

The current crop of NHI platforms is designed for machine identities, not human credentials, managed by IAM and PAM systems from Microsoft, Okta, Ping Identity, JumpCloud, CyberArk, BeyondTrust, and OneLogin.

Astrix's Jackson says its new round of funding will, in part, go toward expanding integration with human identities.

"Our customers are asking for a 360-degree view of the human and the non-human identities," Jackson says. "But we will be keeping our edge on the NHI space. This is not just posture management and not just anomaly detection, but it's creating the connections in a secure manner."

GitGuardian, which deals with application security and platform engineering teams, has a similar ambition of providing links from its secrets vaults to IAM platforms.

"That's the plan," says Pierre Le Clézio, the company's lead product manager. "But not yet. We are starting with the secret managers and that ecosystem, and then we will have the IAM systems."

**Anticipate M&A Activity **

As NHI security continues to evolve, so will the notable providers, EMA's Steffen says.

"It seems very likely that larger technology players are going to jump into this space," he says. "Many already have complementary offerings, like Wiz and Palo Alto Networks, and are jumping into NHI — either through acquisition or developing their own solution."

Steffen also anticipates that identity providers like Ping and Okta will delve into NHI.

"They already have the infrastructure and the means to enhance NHI for most enterprises, as well as they already lead the market in identity solutions."

Omdia's Holt also anticipates M&A activity.

"The evolving threat landscape really does necessitate a shift toward comprehensive products and solutions that take on both human and non-human identities," she said. "But the market is still developing. A lot of the players are startups. We expect to see more of a move towards platform support and more acquisitions during 2025 for managing non-human identities."

**About the Author**

Contributing Writer

Jeffrey Schwartz is a journalist who has covered information security and all forms of business and enterprise IT, including client computing, data center and cloud infrastructure, and application development for more than 30 years. Jeff is a regular contributor to Channel Futures. Previously, he was editor-in-chief of Redmond magazine and contributed to its sister titles Redmond Channel Partner, Application Development Trends, and Virtualization Review. Earlier, he held editorial roles with CommunicationsWeek, InternetWeek, and VARBusiness. Jeff is based in the New York City suburb of Long Island.

Vendors Chase Potential of Non-Human Identity Management

Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.

Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of **Acunetix**, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey.

Araneida Scanner.

Cyber threat analysts at **Silent Push** said they recently received reports from a partner organization that identified an aggressive scanning effort against their website using an Internet address previously associated with a campaign by FIN7, a notorious Russia-based hacking group.

But on closer inspection they discovered the address contained an HTML title of “**Araneida Customer Panel**,” and found they could search on that text string to find dozens of unique addresses hosting the same service.

It soon became apparent that Araneida was being resold as a cloud-based service using a cracked version of Acunetix, allowing paying customers to conduct offensive reconnaissance on potential target websites, scrape user data, and find vulnerabilities for exploitation.

Silent Push also learned Araneida bundles its service with a robust proxy offering, so that customer scans appear to come from Internet addresses that are randomly selected from a large pool of available traffic relays.

The makers of Acunetix, Texas-based application security vendor **Invicti Security**, confirmed Silent Push’s findings, saying someone had figured out how to crack the free trial version of the software so that it runs without a valid license key.

“We have been playing cat and mouse for a while with these guys,” said **Matt Sciberras**, chief information security officer at Invicti.

Silent Push said Araneida is being advertised by an eponymous user on multiple cybercrime forums. The service’s Telegram channel boasts nearly 500 subscribers and explains how to use the tool for malicious purposes.

In a “Fun Facts” list posted to the channel in late September, Araneida said their service was used to take over more than 30,000 websites in just six months, and that one customer used it to buy a Porsche with the payment card data (“dumps”) they sold.

Araneida Scanner’s Telegram channel bragging about how customers are using the service for cybercrime.

“They are constantly bragging with their community about the crimes that are being committed, how it’s making criminals money,” said **Zach Edwards**, a senior threat researcher at Silent Push. “They are also selling bulk data and dumps which appear to have been acquired with this tool or due to vulnerabilities found with the tool.”

Silent Push also found a cracked version of Acunetix was powering at least 20 instances of a similar cloud-based vulnerability testing service catering to Mandarin speakers, but they were unable to find any apparently related sales threads about them on the dark web.

Rumors of a cracked version of Acunetix being used by attackers surfaced in June 2023 on Twitter/X, when researchers first posited a connection between observed scanning activity and Araneida.

According to an August 2023 report (PDF) from the **U.S. Department of Health and Human Services** (HHS), Acunetix (presumably a cracked version) is among several tools used by APT 41, a prolific Chinese state-sponsored hacking group.

**THE TURKISH CONNECTION**

Silent Push notes that the website where Araneida is being sold — **araneida\[.\]co** — first came online in February 2023. But a review of this Araneida nickname on the cybercrime forums shows they have been active in the criminal hacking scene since at least 2018.

A search in the threat intelligence platform Intel 471 shows a user by the name Araneida promoted the scanner on two cybercrime forums since 2022, including **Breached** and **Nulled**. In 2022, Araneida told fellow Breached members they could be reached on Discord at the username “**Ornie#9811**.”

According to Intel 471, this same Discord account was advertised in 2019 by a person on the cybercrime forum **Cracked** who used the monikers “**ORN**” and “**ori0n**.” The user “ori0n” mentioned in several posts that they could be reached on Telegram at the username “**@sirorny**.”

Orn advertising Araneida Scanner in Feb. 2023 on the forum Cracked. Image: Ke-la.com.

The Sirorny Telegram identity also was referenced as a point of contact for a current user on the cybercrime forum Nulled who is selling website development services, and who references araneida\[.\]co as one of their projects. That user, “**Exorn**,” has posts dating back to August 2018.

In early 2020, Exorn promoted a website called “**orndorks\[.\]com**,” which they described as a service for automating the scanning for web-based vulnerabilities. A passive DNS lookup on this domain at DomainTools.com shows that its email records pointed to the address **ori0nbusiness@protonmail.com**.

Constella Intelligence, a company that tracks information exposed in data breaches, finds this email address was used to register an account at **Breachforums** in July 2024 under the nickname “**Ornie**.” Constella also finds the same email registered at the website netguard\[.\]codes in 2021 using the password “**ceza2003**” \[full disclosure: Constella is currently an advertiser on KrebsOnSecurity\].

A search on the password ceza2003 in Constella finds roughly a dozen email addresses that used it in an exposed data breach, most of them featuring some variation on the name “**altugsara**,” including **altugsara321@gmail.com**. Constella further finds altugsara321@gmail.com was used to create an account at the cybercrime community **RaidForums** under the username “**ori0n**,” from an Internet address in Istanbul.

According to DomainTools, altugsara321@gmail.com was used in 2020 to register the domain name **altugsara\[.\]com**. Archive.org’s history for that domain shows that in 2021 it featured a website for a then 18-year-old **Altuğ Şara** from Ankara, Turkey.

Archive.org’s recollection of what altugsara dot com looked like in 2021.

**LinkedIn** finds this same **altugsara\[.\]com** domain listed in the “contact info” section of a profile for an **Altug Sara** from Ankara, who says he has worked the past two years as a senior software developer for a Turkish IT firm called **Bilitro Yazilim**.

Neither Altug Sara nor Bilitro Yazilim responded to requests for comment.

Invicti’s website states that it has offices in Ankara, but the company’s CEO said none of their employees recognized either name.

“We do have a small team in Ankara, but as far as I know we have no connection to the individual other than the fact that they are also in Ankara,” Invicti CEO **Neil Roseman** told KrebsOnSecurity.

Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly “noisy” scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.

What’s more, the cracked version of Acunetix being resold to cybercriminals invokes legacy Acunetix SSL certificates on active control panels, which Silent Push says provides a solid pivot for finding some of this infrastructure, particularly from the Chinese threat actors.

Further reading: Silent Push’s research on Araneida Scanner.

Tag

#web