The flaws allow attackers to use a serialization oversight to compromise systems for remote code execution.
CISA is warning Adobe and Oracle customers about in-the-wild exploitation of critical vulnerabilities affecting the services of these leading enterprise software providers.
The US cybersecurity watchdog added vulnerabilities in Adobe ColdFusion (CVE-2017-3066) and Oracle Agile Product Lifecycle Management (PLM) (CVE-2024-20953) to its known exploited vulnerabilities (KEV) catalog on Monday.
“These type of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said in the advisory.
Deserialization demons still haunt Adobe web development
The Adobe ColdFusion flaw flagged by CISA is an old Java deserialization bug in the Apache BlazeDS library, which received a critical severity rating of CVSS 9.8 out of 10 because it enables arbitrary code execution.
Adobe disclosed CVE-2017-3066 in April 2017 along with hotfixes for all the affected versions, including Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier.
“These hotfixes include an updated version of the Apache BlazeDS library to mitigate the Java deserialization vulnerability,” Adobe said in an advisory at the time.
In a 2018 blog post, Code White researchers detailed vulnerabilities in Adobe ColdFusion (versions 11 and 12), focusing on deserialization issues within the Action Message Format (AMF) used by ColdFusion for data exchange. Before CVE-2017-3066, they had discovered, ColdFusion lacked class whitelisting, allowing attackers to exploit java.io.Externalizable for remote code execution.
CISA did not disclose specific details of exploitation for security reasons, waring all organizations to promptly patch vulnerable systems against potential threats.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Research shows various ways to classify CISOs based on role expectations, strengths and experience – distinctions that matter when it comes to ensuring that security leaders land in jobs where they will succeed.
When executives at a startup asked security leader George Gerchow to advise them on selecting a CISO, Gerchow recommended finding a security chief who had the skills to scale a security program, handle an incident, and engage with customers.
The company instead hired a highly technical CISO, one who worked like the hands-on architect Gerchow had been but lacked the leadership skills that were needed to calm clients when a security event eventually occurred. That skills deficit left the CEO scrambling to fill the void and customers feeling dissatisfied.
The story shows that the CISO was the wrong type for the role, says Gerchow, faculty at IANS Research and interim CISO/head of trust at MongoDB. The anecdote and Gerchow’s observations highlight the idea that leaders — including business executives broadly and CISOs in particular — can be classified into different types.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Panicking bank customers is neither difficult nor expensive, as a recent study shows, suggesting that CISOs must also keep disinformation campaigns in mind.
The British research organization Say No To Disinfo has simulated an AI-driven disinformation campaign in cooperation with communications specialists Fenimore Harper. As part of the campaign, 500 bank customers in the UK were confronted with synthetic “rumours” about their financial institution.
The motivation behind the simulation was to ascertain whether fake news campaigns based on generative AI could trigger “bank runs” in the future — such as occurred against the Silicon Valley Bank in the US.
The results of the study underline AI’s ominous potential in this area:
- Almost 61% of study participants who consumed the fake news were fundamentally willing to withdraw their money from the respective bank.
- Just over 33% of respondents rated this as “very likely,” and another 27% as “probable.”
- Translated into financial expenditure, according to the study, a £10 investment in AI content generation (around US$13) can be enough to “shift” assets worth £1 million.
“With the help of AI tools, we generated false headlines whose narratives were intended to play on existing fears and biases. The key message was: ‘Customer funds are not safe,’” explain the study authors.
According to their report, the experts primarily used the short message service X to spread masses of corresponding posts and memes.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3829738/ai-can-kill-banks.html
Investigation revealed that BingX, & Phemex hacks were also connected to the same cluster as Bybit’s, confirming the threat actor’s identity as the Lazarus group.
An independent investigation into the $1.5 billion hack suffered by the Bybit cryptocurrency exchange on Friday has revealed connections to the infamous Lazarus group.
A day after the attack was disclosed by ByBit, Blockchain investigator ZachXBT shared findings connecting the hack to the DPRK-backed hacking group.
“At 19.09 UTC today, @zackxbt submitted definitive proof that this attack on Bybit was performed by the Lazarus Group,” said a Saturday X post by Arkham Intelligence, the blockchain analysis firm that awarded ZackXBT a bounty for their discovery.
Bybit is the world’s second-largest cryptocurrency exchange by trading volume, with over 50 million registered users worldwide as per a September 2024 report.
Connection confirmed by transactions prior to the attack
ZachXBT submitted a detailed analysis of test transactions and connected wallets used just before the exploit, along with multiple graphs and timing analysis, which Arkham added in the X post.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3831315/bybits-1-5b-hack-linked-to-north-koreas-lazarus-group.html
Cybersecurity leaders CISOs share insight on a crucial but overlooked task after any security incident: rebuilding trust with the stakeholders that matter the most.
When incident response plans cover the aftermath, they typically focus solely on technical matters, such as root cause analysis or upgrading systems. The problem with this approach is that breaches are not only technical in nature — they can also undermine trust among various internal and external stakeholders of the business.
This loss of trust can be hard to measure, but it manifests concretely. For example, publicly traded companies may lose the enthusiasm of institutional and retail investors. Once popular organizations for tech talent may see their pipeline of applicants dry up. The morale of your cybersecurity team may wane, leading to retention issues and resignations.
In short, CISOs must prioritize rebuilding trust with stakeholders as an equal priority to any technical exercise. After all, no improvement or upgrade matters if stakeholders do not buy into your organization’s overall cybersecurity plan or execution.
Transparency across the incident lifecycle
Christopher Robinson, chief security architect of The Linux Foundation, says transparency is key to rebuilding stakeholder trust. Unfortunately, companies often take the opposite approach.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.csoonline.com/article/3825447/how-cisos-can-rebuild-trust-after-a-security-incident.html
Stealthy C2 messages operated by the Golang backdoor could easily be mistaken for legitimate Telegram API communication.
Hackers have been found deploying an unfinished Russian malware, written in Golang, that leverages Telegram as its command-and-control (C2) channel.
Netskope Threat Labs, the research wing of the cybersecurity firm Netskope, discovered the malware. “As part of Netskope Threat Labs hunting activities, we came across an IoC being shared by other researchers and decided to take a closer look at it,” Netskope researchers said in a blog post.
The researchers added that the malware (Trojan.Generic.37477095), which presently seems to be under development yet is fully functional, acts like a backdoor on execution.
Abusing Telegram API for C2 communications
According to the researchers, C2 communication being established by the malware could easily be mistaken for legitimate Telegram API deployments, making its detection difficult.
“Although the use of cloud apps as C2 channels is not something we see every day, it’s a very effective method used by attackers not only because there’s no need to implement a whole infrastructure for it, making attackers’ lives easier, but also because it’s very difficult, from defender perspective, to differentiate what is a normal user using an API and what is a C2 communication,” researchers noted.
The backdoor uses Telegram as its C2 mechanism by using an open-source Go package to interact with it, the blog post added. It initially creates a bot instance using Telegram’s BotFather feature which enables creating, managing, and configuring Telegram Bots.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Security experts warn of surge in malware targeting credentials stored in password vaults and managers as adversarial focus and tactics shift. ‘Like hitting the jackpot.’
Security watchers warn of a three-fold increase in malware that targets credential stores, such as password managers and browser-stored login data.
The study by Picus Security, which was based on analysis of 1 million real-world malware samples, also found that 93% of all malicious actions mapped to just 10 MITRE ATT&CK techniques.
Password store security trade-offs
Password stores are secure repositories designed to manage and protect sensitive authentication data, including usernames, passwords, encryption keys, and other credentials. Stores come in various forms, tailored to use cases and resident operating systems.
The main types of password stores include Keychain (for macOS and iOS), built-in password managers in browsers such as Chrome and Firefox, Windows Credential Manager, and dedicated password managers such as LastPass, 1Password, and Bitwarden. The category also includes cloud secrets management stores, like AWS Secrets Manager and Azure Key Vault, and caches and memory of third-party software.
Password stores aim to enhance security by providing encrypted storage and convenient access to credentials, reducing the risk of password reuse and simplifying the management of multiple complex passwords. Unfortunately, the centralized nature also makes them attractive targets for cybercriminals who target them through various strains of malware.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
FBI and CISA have issued a joint advisory to warn software developers against building codes with Buffer Overflow vulnerabilities in them, calling them “unforgivable” mistakes.
Tagging the advisory as part of their ongoing “Secure by Design” efforts, the authorities said these vulnerabilities are prevalent in software, including vendors like Microsoft, VMware, and Ivanti, that lead to full system compromise.
“CISA and FBI maintain that the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities — especially the use of memory-unsafe programming languages — poses unacceptable risk to our national and economic security,” the authorities said.
Buffer overflow defect is a memory safety vulnerability that stems from a program reading or writing memory beyond allocated boundaries by failing to initialize memory properly.
Buffer Overflow bugs are unforgivable
“The CISA and FBI recognize that memory safety vulnerabilities encompass a wide range of issues — many of which require significant time and effort to properly resolve,” the advisory added. “While all types of memory safety vulnerabilities can be prevented by using memory safe languages during development, other mitigations may only address certain types of memory safety vulnerabilities.”
The advisory pointed out that buffer overflow flaws are well-understood vulnerabilities and are easily avoidable by using memory-safe languages. It also listed additional techniques to help fix these issues.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
A Russian state-backed hacking group is executing one of the most far-reaching cyber espionage campaigns ever seen, infiltrating critical infrastructure across multiple continents by exploiting vulnerabilities in IT management software.
The operation, attributed to the notorious Russian threat actor Seashell Blizzard, has compromised high-profile targets in energy, telecommunications, defense, and government sectors, including in the US, Canada, Australia, and the UK, Microsoft said in a report.
The software major has warned that the scale and persistence of these attacks pose an immediate and severe risk to global cybersecurity.
“Active since at least 2021, this subgroup within Seashell Blizzard has leveraged opportunistic access techniques and stealthy forms of persistence to collect credentials, achieve command execution, and support lateral movement that has at times led to substantial regional network compromises,” Microsoft said in the report.
Seashell Blizzard’s activities align with those tracked by other security vendors under various names, including BE2, UAC-0133, Blue Echidna, Sandworm, PHANTOM, BlackEnergy Lite, and APT44.
Russian cyber warfare expands beyond Ukraine
The hacking subgroup tracked as the “BadPilot campaign,” has been active since at least 2021, originally focusing on Ukraine and Europe. Microsoft reports that the operation has now extended its reach into North America, Central Asia, and the Middle East.
The geographical targeting to a near-global scale expands Seashell Blizzard’s operations beyond Eastern Europe,” said the report.
Seashell Blizzard, linked to Russia’s Military Intelligence Unit 74455 (GRU), has a long history of cyberespionage and destructive cyberattacks aligned with Kremlin interests.
This latest campaign demonstrates the group’s growing sophistication in leveraging stealth tactics and opportunistic access methods to gain control of high-value networks.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
The cybersecurity industry is facing an unprecedented challenge: retaining skilled professionals in the midst of an ever-expanding threat landscape and a significant skills shortage. Organizations are finding themselves in fierce competition to attract and hold onto cybersecurity talent, and failing to do so can have dire consequences.
According to recent research by Forrester, neglecting staff retention efforts can lead to increased absenteeism, toxic work environments, and ultimately, greater security risks. Security teams experiencing high levels of burnout and disengagement report nearly three times the number of internal breaches compared to those with a healthy work culture. Furthermore, when team members fear retribution for raising concerns that affect their organization’s risk posture and they lack psychological safety, the risk of internal incidents skyrockets by three and a half times more than the global average.
To address these challenges, organizations need to implement strategic measures, including creating an environment that fosters resilience and job satisfaction, to retain cybersecurity professionals.
According to Robert Huber, CSO and head of research at Tenable, achieving balance between managing the work that cybersecurity professionals need to do and how they go about completing their work is key. He explains that despite the growing demand cybersecurity professionals face, budgets often fail to keep pace. Therefore, CISOs must prioritize cyber risks effectively to prevent teams from being overwhelmed by the sheer volume of threats, help alleviate pressure, and prevent burnout.
According to Robert Huber, CSO and head of research at Tenable, achieving balance between managing the work that cybersecurity professionals need to do and how they go about completing their work is key. He explains that despite the growing demand cybersecurity professionals face, budgets often fail to keep pace.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
