Pentest Checklists Are More Important Than Ever
Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization’s attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically

Penetration Testing / API Security

****Pentest Checklists Are More Important Than Ever****

Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization's attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically uncover vulnerabilities in various assets like networks, applications, APIs, and systems. They ensure no critical area is overlooked and guide the testing process, making it more efficient and effective at identifying security weaknesses that could be exploited by attackers. A pentest checklist essentially leaves no stone unturned and is a detailed and comprehensive list of every type of vulnerability in which to simulate an attack against.

Each asset being tested, however, requires a different pentest checklist tailored to its specific characteristics and risks. For example, a checklist for pentesting web applications – which remains one of the top targets by malicious actors - will be quite lengthy but encompasses vulnerabilities that are unique to external-facing apps. These specialized checklists are a litmus test to ensure that security measures are evaluated, assesses for effectiveness, depending on the asset, and make overall testing more targeted and relevant to each environment.

BreachLock recently introduced a comprehensive guide that includes detailed pentest checklists of the primary stages involved in pentesting using various frameworks such as OWASP Top 10 and OWAS ASVS across every asset and all respective associated vulnerabilities for the following:

*   **Network –** A pentest checklist for a Black Box external network testing including information gather, vulnerability scanning and enumeration, generic security findings, and service-based testing.
*   **Web Applications**. A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **APIs –** A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **Mobile -** A pentest checklist for Gray Box testing including static analysis, dynamic analysis, and network analysis.
*   **Wireless** – An abbreviated pentest checklist including identification of wireless network (SSID), unauthorized access to wireless networks, access security controls, and rogue access point detection
*   **Social Engineering**\- Aa abbreviated pentest checklist including phishing attacks, pretexting and impersonation, USB drops, and physical penetration.

This is a summary of why pentest checklists are important including an overview of a general pentest checklist. A complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets, can be accessed here.

****Overview of Pentesting Delivery Models****

Penetration testing has become one of the most effective offensive security measures to identify and assess vulnerabilities across both internal and external attack surfaces. Traditional pentesting methods have certainly evolved and penetration testing services are now widely used to help fortify an organization's security posture.

Pentesting is carried out by certified security experts who simulate real-world attacks to identify vulnerabilities for assessment and mitigation within a specific scope. These tests are based on detailed pentest checklists that are tailored by asset (e.g., web applications, network, APIs, etc.) and act as a guide for the pentest checklist process, ensuring standardized frameworks are used and testing adheres to applicable compliance requirements.

To better understanding pentesting, below are the varied methods used for penetration testing that lie in the delivery model, scalability, and frequency of testing, followed by pentest checklists by asset type.

****Delivery Models****

1.  **Traditional Penetration Testing:** Typically performed manually by a team of certified pentesting experts over a fixed period (often a few days or weeks). The engagement is project-based with a final report delivered upon completion of testing.
    *   **Frequency:** Usually performed on a periodic basis, such as annually or semi-annually, as part of compliance requirements or security audits.
    *   **Scalability:** Limited in scalability due to the manual effort required by human testers and the one-off nature of the engagement.
    *   **Advantage:** Deep analysis, thorough testing tailored to specific security requirements, and direct engagement with pentest experts.
    *   **Challenges:** Fixed time frame and limited scope of assessment, which can leave gaps between tests.
2.  **Penetration Testing as a Service (PTaaS):** PTaaS is a cloud-based model that offers ongoing penetration testing services, often integrated with platforms that provide real-time reporting and collaboration. It combines automated tools with human-led expertise.
    *   **Frequency:** A more proactive approach that allows for continuous or more frequent approach to detecting and updating vulnerabilities as they emerge, .
    *   **Scalability:** Highly scalable, as it leverages automation, cloud infrastructure, and hybrid models (automated testing with human validation), enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Scalable, on-demand accessibility, hybrid efficiency, convenience, provides real-time insights, and allows for ongoing security testing.
3.  **Automated or Continuous Penetration Testing:** Uses automation to continuously monitor and test systems for vulnerabilities and is often integrated with tools that run periodic scans.
    *   **Frequency:** Provides ongoing or continuous assessments rather than periodic tests. Can be used for ongoing pentesting to validate security measure and/or to uncover new vulnerabilities as they emerge.
    *   **Scalability:** Highly scalable, as it leverages automation enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Efficient for frequent testing of repetitive tasks or enterprises in high computing environments, cost-effective, and ideal for covering large attack surfaces and complex IT infrastructures.
    *   **Challenges:** Limited in identifying complex vulnerabilities and unique attack paths that require human intuition.
4.  **Human-led Penetration Testing:** A manual and well-scoped process where certified pentest experts simulate realistic attack scenarios and TTPs, focusing on complex vulnerabilities that automated tools may miss.
    *   **Frequency:** Relies on a human-driven approach whereby certified pentest experts explore potential attack vectors. Frequency is usually project-led and periodic.
    *   **Scalability:** Highly customized to the enterprise's unique environment and assets. However, limited scalability due to the manual effort required by human testers
    *   **Advantage:** In-depth analysis, greater flexibility, and a high success rate in discovering sophisticated vulnerabilities.
    *   **Challenges:** Can be more time-consuming and costly than automated methods.

****Pentest Checklists Across Your Attack Surfaces********High-Level Pentest Checklist****

Creating a detailed pentest checklist is essential for performing thorough and effective security assessments. This first checklist is a general but expanded checklist that offers a structure approach to ensure both enterprises and CREST-certified pentest experts cover all critical areas in evaluating cybersecurity defenses.

1.  **Set Clear Objectives and Define Scope**
    *   **Clarify Goals:** Set concise objectives of the pentest engagement, such as identifying weaknesses for specific assets, compliance or security audit, or post-incident reconnaissance.
    *   **Define Scope:** Specify the systems, networks, and applications that will be tested, including the type of testing (e.g., black box, white box, gray box) for each asset.
    *   **Establish Boundaries:** Set parameters to avoid disrupting operations, such as not testing certain assets or limiting tests to outside business hours.
2.  **Assemble Penetration Testing Team**
    *   **Build a Skilled Team:** Include certified professionals with diverse expertise, such as network, application security, or social engineering specialists.
    *   **Check Credentials:** Ensure pentest experts have relevant certifications like CREST, OSCP, OSWE, CEH, or CISSP, along with hands-on experience.
3.  **Obtain Necessary Approvals**
    *   **Get Formal Authorization:** Secure written consent from stakeholders detailing and agreeing upon scope, objectives, and limitations of the test to ensure legal compliance.
    *   **Document Process:** Record all stages of the approval process, including discussions and any agreed-upon conditions. If using a third-party pentesting provider, the scope and process should be documented and signed off on.
4.  **Information Gathering**
    *   **Analyze Targets:** Gather comprehensive information about the infrastructure, including hardware, software, network design, and configurations.
    *   **Use OSINT:** Apply open-source intelligence techniques to gather additional insights into the enterprise's online presence and potential weak points.
5.  **Generating a Pentest Roadmap**
    *   **Attack Surface Management:** Run automated scans using tools such as Nessus or OpenVAS to identify vulnerabilities, focusing on identifying issues without manual input to create a preliminary roadmap for penetration testing.
    *   **Validate Findings:** Results from these scans can be validated to rule out false positives, understand the real context and impact of each potential vulnerability, and categorize by severity to provide a clear roadmap for penetration testing.
6.  **Create a Threat Model**
    *   **Identify Potential Threats:** Review recent attacks and TTPs, consider likely attackers - from random hackers to more targeted - likely attack paths, sophisticated entities, and their motivations.
    *   **Map Attack Vectors:** Prioritize the possible ways an attacker could breach an enterprise based on its environment and the current threat landscape.
7.  **Simulate Attacks**
    *   **Follow a Structure Approach:** Conduct attacks systematically, attempting to exploit weaknesses, bypass controls, and gain higher privileges where possible.
    *   **Adhere to Ethical Standards:** Ensure testing is conducted by certified experts, following standardized frameworks and compliance standards, to minimize risks to systems and data.
8.  **Gather Data and Analyze Results**
    *   **Capture Evidence:** Collect thorough evidence for each attack, such as proof of concepts (POCs) via screenshots, potential attack paths for each domain and associated subdomains and IPs.
    *   **Assess Impact:** Evaluate the consequences or impact of each vulnerability, including potential data breaches, system compromise, and operational disruption and prioritize findings by risk severity and potential impact.
9.  **Prepare and Deliver Reports**
    *   **Document Findings:** Provide a detailed report on each vulnerability and technical descriptions, POCs, risk severity, potential impact, and remediation recommendations.
    *   **Prioritization:** Penetration testing or PTaaS providers will work with enterprises to rank vulnerabilities based on risk and develop a plan for remediation in line with available resources.
10.  **Support Remediation Efforts**
    *   **Actionable Mitigation:** Present clear recommendations on how to mitigate each issue based on severity and impact.
    *   **Retesting:** Verify effectiveness of remediation by conducting follow-up pentest to ensure issues have been resolved.
11.  **Communicate with Stakeholders**
    *   **Present Results:** Share findings by providing story of impact if no action is taken. This is a much more effective strategy then providing a laundry list of vulnerabilities. Summarize key risks and actions for non-technical stakeholders.
    *   **Foster Dialogue:** Engage in discussions to address any concerns or questions about reporting and remediation efforts.

****Conclusion****

Pentest checklists serve pentest experts and their organizations by ensuring a consistent, comprehensive, and systematic approach to identifying security vulnerabilities. A pentest checklist leaves no stone unturned and facilitates better communication between pentesters and stakeholders. They provide a clear outline of what will be tested, evaluated, and how the findings will be assessed. This transparency helps enterprises understand their security posture and to make more informed decisions about improvements.

Pentest checklists are not only effective in identifying vulnerabilities but ensure a systematic approach, using the best practices, tools, and frameworks, for penetration testing. They benefit pentesters by providing assurances to their organization and stakeholders that they are taking meaningful steps to protect their assets. Pentest checklists are a security blanket for any organization conducting penetration testing as a Service.

For more detailed pentest checklists, click here for the complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Guide:  The Ultimate Pentest Checklist for Full-Stack Security

Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Cybersecurity Recap: Top Threats, Tools and News (Oct 14 - Oct 20)

A new document shows the Department of Homeland Security is concerned that Chinese investment in lithium batteries to power energy grids will make them a threat to US supply chain security.

Analysts at the US Department of Homeland Security shared an internal report to local agencies in August, warning them about the economic risks of using Chinese utility storage batteries. It warns that the dependence on Chinese batteries could hurt developing a secure supply chain in the US.

The document, first obtained by national security transparency nonprofit Property of the People and seen by WIRED, accuses Chinese companies of “using People’s Republic of China state support to quickly and cheaply enter the emerging US utility battery energy storage industry and create supply chain dependencies on China,” and asks that any suspicious activity be reported.

Specifically, the report alleges three companies—Contemporary Amperex Technology Co. Limited (CATL), Build Your Dreams (BYD), and Ruipu Energy Co. Ltd. (REPT)—have “benefited from the various forms of state support and leveraged this to further business strategies for gaining US market share.”

Currently, CATL and BYD lead the global energy storage battery market by far, with 40 percent and 12 percent market shares, respectively, according to South Korean energy research firm SNE Research. Eight out of the 10 top companies in the industry are from China, so there are few alternatives to turn to when building grid storage.

The report says it builds on previous documents that analyzed Chinese “state-supported firms’ use of noncompetitive tactics in the electric vehicle and battery supply chains.” DHS did not respond to a request for further comment.

In 2022, CATL entered a deal with Primergy Solar to build the largest US solar and storage project in Nevada, which came online this year. Its battery products have also been used by Duke Energy, a North Carolina–based utility company, although the latter dropped CATL as a supplier for marine base electricity storage after concerns around national security were raised by, in part, lawmakers in Washington.

In an emailed statement, Fred Zhang, a CATL spokesperson, rejects the categorization that the firm has relied on state support to gain an edge. “CATL has achieved tremendous growth through continuous innovation, farsighted strategic planning, and a commitment to high-quality products at a reasonable cost,” the statement says.

BYD and REPT did not reply to WIRED’s request for comment.

Following efforts to curb Chinese EV companies’ competitiveness, the US government is now also concerned about how domestic utility companies could become too dependent on Chinese batteries for energy storage.

The US government has in recent years started to catch up in the battery industry. The Inflation Reduction Act and the Bipartisan Infrastructure Bill set out investment tax credits and other economic incentives to build up energy storage capacity in the country. In September it awarded another $3 billion in incentives to projects that boost domestic production of batteries.

These incentives are also the focus of the DHS report, which alleges that Chinese-based firms are targeting US incentives to further grow their market share. “BYD’s public website as of spring 2023 highlighted how US state incentives can make BYD utility storage systems an attractive investment,” the report claims. (WIRED was unable to find the BYD website referenced in the report.)

The CATL spokesperson says the company “does not receive any US federal or state incentives.”

As the US utility grids incorporate more renewable energy sources like solar and wind, it’s essential to build up a battery storage capacity that can store intermittent energy supply for times of heightened demand. And Chinese companies have dominated the global industry of producing lithium batteries for this job. These companies make over 80 percent of the EV battery cells in the world, and they had plans to invest another $2 trillion in 2023 into new production capacities inside and outside the country.

“Chinese original equipment manufacturers currently supply about 90 percent of the energy storage system batteries, actually a larger share than for EVs,” says Vanessa Witte, a senior research analyst at Wood Mackenzie who focuses on US energy storage. “There is a huge oversupply right now, partly due to softening EV demand, along with a number of Tier 2 and Tier 3 OEMs that have started new manufacturing facilities. The excess supply is a big reason the prices are so low.”

These batteries are essential for global energy transition, and Chinese battery companies see them as an opportunity to widen their product markets. They’ve become such an important industry that the Chinese central government emphasized their importance for the first time in its annual government report in March.

The battery supply chain has also emerged as one of the top economic and security concerns around China in the eyes of the US government. The Biden administration has so far raised a 25 percent tariff on Chinese-made lithium-ion EV batteries (and even higher for the EVs they power.) The government has also repeatedly sounded alarms about the national security threats of having Chinese-made equipment and parts in domestic infrastructure.

So far, the particular conversations around energy storage batteries have mostly surrounded cybersecurity, worried that the components could contain backdoor access for hacking like those that have been suspected in Chinese-made port cranes. Those concerns are “a bit overstated,” Witte says. “There haven’t been any incidents that would lend one to believe the battery management system is sending data to China or could disrupt our infrastructure.”

There have been several political efforts to restrict the use of Chinese-made batteries in the US. The pentagon will be the first to be banned from buying batteries from six Chinese companies, in an order which will become effective in 2027, but some congressmembers are still asking for CATL and other Chinese companies to be added to trade blacklists, and there’s a bill in Congress that would ban DHS from procuring Chinese batteries.

But the DHS report shows that the government is also looking at whether the dominance of Chinese batteries can be an economic issue.

“It is simplistic to see this as just unfair competition due to Chinese government support, as a lot of what China did, such as creating demand for batteries through EV subsidies, is not unlike what we see in the West today,” says Yayoi Sekine, head of energy storage research at BloombergNEF.

The pricing advantage that Chinese battery companies have are also the results of harsh market competition and a more established battery supply chain in China, she says, and these battery companies are willing to squeeze their own margins in exchange for keeping their market shares. “We think the US government's attempts to support a healthy battery industry domestically has been incredibly generous through the incentives in the Inflation Reduction Act and the Bipartisan Infrastructure Law,” says Sekine, “but it may still be challenging to compete on cost.”

US Government Says Relying on Chinese Lithium Batteries Is Too Risky

The "Code-on-Toast" supply chain cyberattacks by APT37 delivered data-stealing malware to users in South Korea who had enabled Toast pop-up ads.

Source: Eric Anthony Johnson via Alamy Stock Photo

The North Korea-backed advanced persistent threat known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer Web browser over the summer, using it to mount a zero-click supply chain campaign on South Korean targets, researchers revealed.

While IE reached end of life in 2022 and many organizations don't use it anymore, there are plenty of legacy applications that do. In this case, APT37 (aka RedAnt, RedEyes, ScarCruft, and Group123) specifically targeted a Toast ad program that is usually installed alongside various free software, according to AhnLab SEcurity intelligence Center (ASEC). "Toasts" are pop-up notifications that appear at the right-bottom of a PC screen.

"Many Toast ad programs use a feature called WebView to render Web content for displaying ads," according to AhnLab researchers. "However, WebView operates based on a browser. Therefore, if the program creator used IE-based WebView to write the code, IE vulnerabilities could also be exploited in the program."

**A Hot-Buttered Zero-Click Toast Exploit**

According to AhnLab's analysis released last week, the state-sponsored cyberattack group compromised an ad agency, and then used the bug, tracked as CVE-2024-38178 (CVSS 7.5), to inject malicious code into the Toast script the agency uses to download ad content to people's desktops. Instead of ads, the script began delivering malware.

Related:South Korean APT Exploits 1-Click WPS Office Bug, Nabs Chinese Intel

"This vulnerability is exploited when the ad program downloads and renders the ad content," the researchers explained in their report on the attack, which they called "Code on Toast." "As a result, a zero-click attack occurred without any interaction from the user."

The malware delivered is the RokRAT, which APT37 has consistently used in the past.

"After infecting the system, various malicious behaviors can be performed, such as remote commands," the researchers noted, adding, "In this attack, the organization also uses Ruby to secure malicious activity persistence and performs command control through a commercial cloud server."

The campaign had the potential to cause significant damage, they said, but the attack was detected early. "In addition, security measures were also taken against other Toast advertising programs that were confirmed to have the potential for exploitation before the vulnerability patch version was released," according to AhnLab.

**IE Lurks in Apps, Remains a Cyber Threat**

Microsoft patched the bug in its August Patch Tuesday update slate, but the continued use of IE as a built-in component or related module within other applications remains a concerning attack vector, and an incentive for hackers to continue to acquire IE zero-day vulnerabilities.

Related:BlankBot Trojan Targets Turkish Android Users

"Such attacks are not only difficult to defend against with users' attention or antivirus, but can also have a large impact depending on the exploited software," AhnLab researchers explained in the report (PDF, Korean).

They added, "Recently, the technological level of North Korean hacking groups is becoming more advanced, and attacks that exploit various vulnerabilities other than IE are gradually increasing."

Accordingly, users should make sure to keep operating systems and software up to date, but "software manufacturers should also be careful not to use development libraries and modules that are vulnerable to security when developing products," they concluded.

Translation provided by Google Translate.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

DPRK Uses Microsoft Zero-Day in No-Click Toast Attacks

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS.…

A new Gorilla Botnet has launched massive DDoS attacks, targeting over 100 countries, according to cybersecurity firm NSFOCUS. This botnet, which utilizes Mirai botnet source code and advanced techniques, poses a growing and global threat.

NSFOCUS Global Threat Hunting System has detected a new cybersecurity threat: The Gorilla Botnet. In September 2024, this botnet launched a massive series of distributed denial-of-service attacks (DDoS attacks), targeting over 300,000 targets in over 100 countries.

According to NSFOCUS, a renowned Chinese company specializing in application security, Gorilla Botnet is inspired by the infamous **Mirai botnet** and has become a major concern due to its wide reach and stealth capabilities. Gorilla Botnetleverages a network of compromised IoT devices like an army to launch large-scale DDoS attacks. These attacks flood targeted systems with traffic, crippling their access to users.

What makes Gorilla Botnet particularly dangerous is its use of encryption to obscure key data, ensuring long-term control over compromised devices and supporting various CPU architectures, making it compatible with a wide range of devices.

Gorilla Botnet uses a distributed C&C network to manage its operations and offers a variety of DDoS attack methods, including UDP Flood, ACK Bypass Flood, and VSE Flood. Additionally, it utilizes connectionless protocols like UDP to spoof IP addresses and further hide its origin.  

****Global Reach and Impact****

Since September 2024, when its activity was first detected, Gorilla has wasted no time making its mark. In just a month, the botnet unleashed over 300,000 attack commands, averaging a whopping 20,000 per day.

This series of attacks targeted over 100 countries, including economic powerhouses like:

*   **China**
*   **Canada**
*   **Germany**
*   **United States**

Additionally, critical infrastructure including universities, government websites, telecoms, banks, and gaming platforms, fell victim to these attacks.  

****Advanced Capabilities****

According to NSFOCUS’s **report**, Gorilla Botnet’s sophistication goes beyond its attack methods. The malware incorporates encryption algorithms commonly **used** by the notorious **Keksec** hacking group, making it difficult to detect/analyze.

The botnet also shows a strong focus on persistence. By exploiting vulnerabilities like the Apache Hadoop YARN RPC flaw and installing services that automatically execute on system startup, Gorilla becomes a stubborn opponent to eradicate.   

Organizations should strengthen their cybersecurity to address the growing threat of the Gorilla Botnet. Firewalls help block suspicious traffic, while intrusion detection systems (IDS) can spot unusual activity and alert security teams. Using cloud-based **DDoS protection** can also help reduce high-volume attacks, minimizing downtime for critical systems.

1.  Goldoon Botnet Hit D-Link Devices by Exploiting 9-Year-Old Flaw
2.   Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
3.  Golang Botnet “Zergeca” Discovered, Delivers Brutal DDoS Attacks
4.  Mirai-like Botnet Hits Zyxel NAS Devices in Europe for DDoS Attacks
5.  US Charges Duo Behind Anonymous Sudan for 35,000 DDoS Attacks

Mirai-Inspired Gorilla Botnet Hits 0.3 Million Targets Across 100 Countries

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.
Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of

Vulnerability / Email Security

Unknown threat actors have been observed attempting to exploit a now-patched security flaw in the open-source Roundcube webmail software as part of a phishing attack designed to steal user credentials.

Russian cybersecurity company Positive Technologies said it discovered last month that an email was sent to an unspecified governmental organization located in one of the Commonwealth of Independent States (CIS) countries. However, it bears noting that the message was originally sent in June 2024.

"The email appeared to be a message without text, containing only an attached document," it said in an analysis published earlier this week.

"However, the email client didn't show the attachment. The body of the email contained distinctive tags with the statement eval(atob(...)), which decode and execute JavaScript code."

The attack chain, per Positive Technologies, is an attempt to exploit CVE-2024-37383 (CVSS score: 6.1), a stored cross-site scripting (XSS) vulnerability via SVG animate attributes that allows for execution of arbitrary JavaScript in the context of the victim's web browser.

Put differently, a remote attacker could load arbitrary JavaScript code and access sensitive information simply by tricking an email recipient into opening a specially-crafted message. The issue has since been resolved in versions 1.5.7 and 1.6.7 as of May 2024.

"By inserting JavaScript code as the value for "href", we can execute it on the Roundcube page whenever a Roundcube client opens a malicious email," Positive Technologies noted.

The JavaScript payload, in this case, saves the empty Microsoft Word attachment ("Road map.docx"), and then proceeds to obtain messages from the mail server using the ManageSieve plugin. It also displays a login form in the HTML page displayed to the user in a bid to deceive victims into providing their Roundcube credentials.

In the final stage, the captured username and password information is exfiltrated to a remote server ("libcdn\[.\]org") hosted on Cloudflare.

It's currently not clear who is behind the exploitation activity, although prior flaws discovered in Roundcube have been abused by multiple hacking groups such as APT28, Winter Vivern, and TAG-70.

"While Roundcube webmail may not be the most widely used email client, it remains a target for hackers due to its prevalent use by government agencies," the company said. "Attacks on this software can result in significant damage, allowing cybercriminals to steal sensitive information."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper…

Hackers impersonate ESET in phishing attacks targeting Israeli organizations. Malicious emails, claiming to be from ESET, deliver wiper malware. Security researcher Kevin Beaumont exposes the attack. ESET denies direct compromise and points to partner involvement.

In a recent cyberattack, hackers targeted Israeli organizations by impersonating the cybersecurity firm ESET. The attackers sent phishing emails impersonating Slovak-based ESET, warning recipients of state-backed hackers targeting their devices.

The emails included a link to download a non-existent “ESET Unleashed program” that claimed to counter the attack. Clicking the link downloaded a ZIP file containing **wiper malware**, designed to wipe data from the infected device.

Security researcher Kevin Beaumont raised the alarm noting that the hackers had successfully breached ESET’s defences and were hosting malicious files on their servers. The emails were flagged as dangerous by Google, but many recipients may have fallen victim to the deception. 

The email, styled as ESET Advanced Threat Defense Team, and the downloads, styled as ESET Unleashed, contain various ESET DLLs and a file called setup.exe and call out to a legitimate org in Israel-www.oref.org.il. If a victim opened the ZIP file and ran the malware, it would proceed to delete files and data from their device. However, the malware required a physical PC and time to activate its destructive capabilities.

“ESET Israel definitely got compromised, this thing is fake ransomware that talks to an Israeli news org server for whatever reason,” Beaumont wrote in his **blog post**.

ESET responded to the incident by acknowledging that a security incident had occurred at their partner company in Israel, Comsecure, denying that their own infrastructure had been compromised. The official **statement** from ESET on X (Twitter) read:

_“We are aware of a security incident which affected our partner company in Israel last week. Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes. ESET technology is blocking the threat and our customers are secure. ESET was not compromised and is working closely with its partner to further investigate and we continue to monitor the situation.”_

The phishing campaign specifically targeted cybersecurity personnel within Israeli organizations, suggesting that the attackers were aiming to disrupt the country’s digital defences. The emails were sent on October 8th, the day after the anniversary of Hamas’ and other Palestinian militant groups’ armed incursions into Israel. A user on the **ESET Security Forum** quickly noticed the suspicious email and reported it.

The attackers gained access to Comsecure’s infrastructure likely through a security vulnerability or social engineering techniques. They then crafted carefully designed phishing emails that closely resembled ESET’s official style and branding.

The specific threat actor behind the campaign remains unclear. However, the tactics used are similar to those employed by the **pro-Palestine group Handala**, which recently **targeted** Israeli organizations with wiper malware and other cyberattacks. Cybersecurity firm Trellix has described Handala’s attacks as sophisticated and suggested possible links to Iran.

The ESET impersonation campaign is now blocked but it highlights the ongoing threat of phishing attacks and raises concerns about the security of ESET’s partner infrastructure and the potential for future attacks. To prevent similar attacks, organizations should prioritize verifying the authenticity of messages and implement advanced security measures.

1.  **Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack**
2.  **Facebook, Meta, Apple, Amazon Most Impersonated in Phishing Scams**
3.  **UpdateAgent malware variant impersonates legitimate macOS software**
4.  **Hackers Claim 10TB Data Breach at Russian Cybersecurity Firm Dr.Web**
5.  **Internet Crime Complaint Center Impersonated in Malware, Phishing Scam**

Hackers Use Fake ESET Emails to Target Israeli Firms with Wiper Malware

Microsoft researchers toyed with app permissions to uncover CVE-2024-44133, using it to access sensitive user data. Adware merchants may have as well.

Source: Delphotos via Alamy Stock Photo

A security weakness in the Safari browser on macOS devices might have exposed users to spying, data theft, and other forms of malware.

The issue is enabled by the special permissions Apple gives to its proprietary apps — in this case, its browser — and the ease with which an attacker can reach important app configuration files. In the end, it allows an attacker to bypass the Transparency, Consent, and Control (TCC) security layer that MacBooks use to guard sensitive data. Its CVE entry, CVE-2024-44133, has earned a "medium" severity 5.5 rating in the Common Vulnerability Scoring System (CVSS).

Researchers from Microsoft have named their exploit of CVE-2024-44133 "HM Surf." In a new blog post, they described how HM Surf could open the door to a user's browsing data, camera, and microphone, as well as their device's location, among other things. And the threat doesn't only appear to be theoretical: There's already inconclusive but not insignificant evidence to suggest that one adware program has already exploited CVE-2024-44133, or something quite like it, in the wild.

Apple released a fix for CVE-2024-44133 in its update to macOS Sequoia back on Sept. 16.

"It's a serious concern, because of the unauthorized access it gives," says Xen Madden, cybersecurity expert at Menlo Security, emphasizing the need for organizations to update their macOS devices. But, she adds, "By the looks of it, most EDR tools will detect it, especially since Microsoft Defender is detecting it."

**Exploiting HM Surf**

In any and all Apple devices, TCC is there to manage what sensitive data and features apps can access. If some app wants to access your camera, for example, thanks to TCC, you can rest assured that your Mac will ask for your permission first.

Unless your app has a special "entitlement." Some of Apple's proprietary apps possess entitlements — special permissions, approved by Apple, which allow them unique privileges compared to other apps. The core of why HM Surf works is Safari's entitlement, "com.apple.private.tcc.allow," which allows it to bypass TCC at an app level, and apply it only on a per website ("per origin") basis. In other words, Safari can freely access your camera and microphone as it wishes, but any given website you visit through Safari likely cannot.

Safari's configuration — including the rules that define per-origin TCC protections — are stored in various files under ~/Library/Safari, within the user's home directory. Manipulating these files could provide a path to TCC bypass, though the home directory is itself TCC protected.

Getting around that roadblock is simple, though, using the autological directory service command line utility (DSCL), a tool in macOS for managing directory services from the command line. In HM Surf, DSCL is used to temporarily change the home directory, removing the TCC umbrella shielding ~/Library/Safari. Now they could modify Safari's per-origin TCC configurations — allowing all kinds of permissions for a malicious website of their own creation — before ultimately reinstating the home directory. Thereafter, if a user visited the malicious site, the site would have full rein to capture screenshots, location data, and more, without ever triggering a permission pop-up.

**Was CVE-2024-44133 Already Exploited?**

After concocting their exploit, Microsoft started scanning customer environments for activity that aligned with what they'd found. On one device, lo and behold, they spotted something quite closely resembling what they were looking for.

It was a program digging into the victim's Chrome configuration settings, adding approval for microphone and camera access to a specific URL. It also did more: gathering user and device information, laying the groundwork for a second-stage payload.

This program, it turned out, was a well-known macOS adware program called "AdLoad." AdLoad hijacks and redirects browser traffic, pestering users with unwanted advertisements. It also goes further: harvesting user data, turning infected devices into nodes in a botnet, and acting as a staging ground for further malicious payloads.

In its blog post, Microsoft noted that though AdLoad's activity closely resembled the HM Surf technique, "Since we weren’t able to observe the steps taken leading to the activity, we can’t fully determine if the AdLoad campaign is exploiting the HM surf vulnerability itself." Still, it added, "Attackers using a similar method to deploy a prevalent threat raises the importance of having protection against attacks using this technique."

Dark Reading has contacted both Apple and Microsoft for further comment on this story.

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MacOS Safari 'HM Surf' Exploit Exposes Camera, Mic, Browser Data

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an
unauthorized attacker to trigger a gradual degradation in performance.



Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-45526

**Security Update for the OPC UA .NET Standard Stack**

**Package**

nuget OPCFoundation.NetStandard.Opc.Ua (NuGet)

**Affected versions**

< 1.5.374.118

**Patched versions**

1.5.374.118

nuget OPCFoundation.NetStandard.Opc.Ua.Core (NuGet)

**Description**

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that allows an  
unauthorized attacker to trigger a gradual degradation in performance.

**References**

*   GHSA-7vfh-cqpc-4267

Published to the GitHub Advisory Database

Oct 18, 2024

Last updated

Oct 18, 2024

GHSA-7vfh-cqpc-4267: Security Update for the OPC UA .NET Standard Stack

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that enables an unauthorized attacker to trigger a rapid increase in memory consumption.

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   White papers, Ebooks, Webinars
    *   Customer Stories
    *   Partners
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-qm9f-c3v9-wphv

**Security Update for the OPC UA .NET Standard Stack**

**Package**

nuget OPCFoundation.NetStandard.Opc.Ua (NuGet)

**Affected versions**

< 1.05.374.54

**Patched versions**

1.05.374.54

nuget OPCFoundation.NetStandard.Opc.Ua.Core (NuGet)

**Description**

This security update resolves a vulnerability in the OPC UA .NET Standard Stack that enables an unauthorized attacker to trigger a rapid increase in memory consumption.

**References**

*   GHSA-qm9f-c3v9-wphv

Published to the GitHub Advisory Database

Oct 18, 2024

Last updated

Oct 18, 2024

Tag

#web