1010.TEAM 🇺🇦

32 Million Sensitive Records Exposed From Service Management Provider

8/28/2024

·

gbhackers.com

A significant data breach occurred at ServiceBridge, a technology company specializing in field service management. An unsecured database housing a substantial volume of sensitive business information was exposed to the public.

The compromised database contained 31.5 million records, including contracts, work orders, invoices, proposals, and other critical documents from companies operating globally.

This poses a significant risk to the confidentiality and integrity of sensitive business data and could potentially lead to unauthorized access, data theft, and financial loss.

It involves a non-password-protected database containing over 31 million files totaling 2.68 TB.

The exposed documents, primarily in PDF and HTML formats, were organized chronologically from 2012 onward and belonged to various companies across different industries.

a redacted customer invoice that displayed the name, email address, phone number, and physical address of the client.

These sensitive documents, including contracts, work orders, invoices, and more, posed a substantial risk to business security and individual privacy.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

The widespread exposure of such confidential data has serious implications for affected organizations and individuals.

The researcher discovered a publicly accessible database containing millions of documents from ServiceBridge, a field service management software.

However, the extent of exposure and potential unauthorized access remain unknown due to ServiceBridge’s lack of response.

An internal forensic audit is necessary to determine the timeline of the exposure, identify any suspicious activity, and assess ServiceBridge’s role and potential third-party involvement.

The ServiceBridge platform is a versatile software solution designed to support a wide range of service-based industries. It caters to businesses from various sectors, including commercial and industrial services, pest and animal control, cleaning, landscaping, construction, and more.

a waiver form that includes the customer’s PII and partial payment information.

The platform’s adaptability is evident in its customer base, encompassing a wide spectrum of entities, from individual homeowners and schools to prominent chain restaurants, Las Vegas casinos, and medical providers.

The exposed documents contained sensitive personal information (PII), including names, addresses, contact details, and partial credit card data.

Protected health information (PHI), such as patient consent forms and medical equipment agreements, was also disclosed.

Site audit reports revealed images of properties and businesses potentially compromising physical security. The incident predominantly originated in the United States but also involved entities and individuals from Canada, the United Kingdom, and various European countries.

Invoice fraud, a prevalent issue in B2C and B2B transactions, exploits exposed business documents to deceive victims using insider knowledge. This results in significant financial losses, estimated to average $300,000 per year for US businesses.

a service report made for a well-known restaurant chain in the UK.

Despite its widespread impact, many businesses remain unaware of its severity. While larger companies have resources to recover, small to medium-sized businesses and franchises are particularly vulnerable.

Proactive measures, such as educating accounts payable teams, verifying vendor information, and exercising caution when processing unfamiliar invoices, are essential to mitigate risks.

Researchers at Website Plantet highlight a potential security risk in cloud storage applications where unencrypted documents can be exposed due to misconfiguration.

By accessing the database, attackers could potentially obtain sensitive information.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post 32 Million Sensitive Records Exposed From Service Management Provider appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / data breach / Information Security Risks / Sensitive Data Exposure

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
32 Million Sensitive Records Exposed From Service Management Provider

8/28/2024

·

gbhackers.com

A significant data breach occurred at ServiceBridge, a technology company specializing in field service management. An unsecured database housing a substantial volume of sensitive business information was exposed to the public.

The compromised database contained 31.5 million records, including contracts, work orders, invoices, proposals, and other critical documents from companies operating globally.

This poses a significant risk to the confidentiality and integrity of sensitive business data and could potentially lead to unauthorized access, data theft, and financial loss.

It involves a non-password-protected database containing over 31 million files totaling 2.68 TB.

The exposed documents, primarily in PDF and HTML formats, were organized chronologically from 2012 onward and belonged to various companies across different industries.

a redacted customer invoice that displayed the name, email address, phone number, and physical address of the client.

These sensitive documents, including contracts, work orders, invoices, and more, posed a substantial risk to business security and individual privacy.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

The widespread exposure of such confidential data has serious implications for affected organizations and individuals.

The researcher discovered a publicly accessible database containing millions of documents from ServiceBridge, a field service management software.

However, the extent of exposure and potential unauthorized access remain unknown due to ServiceBridge’s lack of response.

An internal forensic audit is necessary to determine the timeline of the exposure, identify any suspicious activity, and assess ServiceBridge’s role and potential third-party involvement.

The ServiceBridge platform is a versatile software solution designed to support a wide range of service-based industries. It caters to businesses from various sectors, including commercial and industrial services, pest and animal control, cleaning, landscaping, construction, and more.

a waiver form that includes the customer’s PII and partial payment information.

The platform’s adaptability is evident in its customer base, encompassing a wide spectrum of entities, from individual homeowners and schools to prominent chain restaurants, Las Vegas casinos, and medical providers.

The exposed documents contained sensitive personal information (PII), including names, addresses, contact details, and partial credit card data.

Protected health information (PHI), such as patient consent forms and medical equipment agreements, was also disclosed.

Site audit reports revealed images of properties and businesses potentially compromising physical security. The incident predominantly originated in the United States but also involved entities and individuals from Canada, the United Kingdom, and various European countries.

Invoice fraud, a prevalent issue in B2C and B2B transactions, exploits exposed business documents to deceive victims using insider knowledge. This results in significant financial losses, estimated to average $300,000 per year for US businesses.

a service report made for a well-known restaurant chain in the UK.

Despite its widespread impact, many businesses remain unaware of its severity. While larger companies have resources to recover, small to medium-sized businesses and franchises are particularly vulnerable.

Proactive measures, such as educating accounts payable teams, verifying vendor information, and exercising caution when processing unfamiliar invoices, are essential to mitigate risks.

Researchers at Website Plantet highlight a potential security risk in cloud storage applications where unencrypted documents can be exposed due to misconfiguration.

By accessing the database, attackers could potentially obtain sensitive information.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post 32 Million Sensitive Records Exposed From Service Management Provider appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / data breach / Information Security Risks / Sensitive Data Exposure

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
32 Million Sensitive Records Exposed From Service Management Provider

8/28/2024

·

gbhackers.com

A significant data breach occurred at ServiceBridge, a technology company specializing in field service management. An unsecured database housing a substantial volume of sensitive business information was exposed to the public.

The compromised database contained 31.5 million records, including contracts, work orders, invoices, proposals, and other critical documents from companies operating globally.

This poses a significant risk to the confidentiality and integrity of sensitive business data and could potentially lead to unauthorized access, data theft, and financial loss.

It involves a non-password-protected database containing over 31 million files totaling 2.68 TB.

The exposed documents, primarily in PDF and HTML formats, were organized chronologically from 2012 onward and belonged to various companies across different industries.

a redacted customer invoice that displayed the name, email address, phone number, and physical address of the client.

These sensitive documents, including contracts, work orders, invoices, and more, posed a substantial risk to business security and individual privacy.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

The widespread exposure of such confidential data has serious implications for affected organizations and individuals.

The researcher discovered a publicly accessible database containing millions of documents from ServiceBridge, a field service management software.

However, the extent of exposure and potential unauthorized access remain unknown due to ServiceBridge’s lack of response.

An internal forensic audit is necessary to determine the timeline of the exposure, identify any suspicious activity, and assess ServiceBridge’s role and potential third-party involvement.

The ServiceBridge platform is a versatile software solution designed to support a wide range of service-based industries. It caters to businesses from various sectors, including commercial and industrial services, pest and animal control, cleaning, landscaping, construction, and more.

a waiver form that includes the customer’s PII and partial payment information.

The platform’s adaptability is evident in its customer base, encompassing a wide spectrum of entities, from individual homeowners and schools to prominent chain restaurants, Las Vegas casinos, and medical providers.

The exposed documents contained sensitive personal information (PII), including names, addresses, contact details, and partial credit card data.

Protected health information (PHI), such as patient consent forms and medical equipment agreements, was also disclosed.

Site audit reports revealed images of properties and businesses potentially compromising physical security. The incident predominantly originated in the United States but also involved entities and individuals from Canada, the United Kingdom, and various European countries.

Invoice fraud, a prevalent issue in B2C and B2B transactions, exploits exposed business documents to deceive victims using insider knowledge. This results in significant financial losses, estimated to average $300,000 per year for US businesses.

a service report made for a well-known restaurant chain in the UK.

Despite its widespread impact, many businesses remain unaware of its severity. While larger companies have resources to recover, small to medium-sized businesses and franchises are particularly vulnerable.

Proactive measures, such as educating accounts payable teams, verifying vendor information, and exercising caution when processing unfamiliar invoices, are essential to mitigate risks.

Researchers at Website Plantet highlight a potential security risk in cloud storage applications where unencrypted documents can be exposed due to misconfiguration.

By accessing the database, attackers could potentially obtain sensitive information.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post 32 Million Sensitive Records Exposed From Service Management Provider appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / data breach / Information Security Risks / Sensitive Data Exposure

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Research Unveils Eight Android And iOS That Leaks Users Sensitive Data

8/28/2024

·

gbhackers.com

The eight Android and iOS apps fail to adequately protect user data, which transmits sensitive information, such as device details, geolocation, and credentials, over the HTTP protocol instead of HTTPS.

It exposes the data to potential attacks like data theft, eavesdropping, and man-in-the-middle attacks.

Encryption is a fundamental security measure for protecting user data, but many app developers seem to be implementing it incorrectly.

Klara Weather and Military Dating apps pose significant security risks due to their unencrypted data transmission, where Klara Weather leaks user geolocation data over HTTP, exposing sensitive privacy information.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Meanwhile, the Military Dating app sends unencrypted usernames and passwords, making them vulnerable to interception and compromise. This could potentially lead to unauthorized access to personal data, identity theft, or other malicious activities.

Military dating network traffic

The Android apps Sina Finance and CP Plus Intelli Serve pose significant security risks by leaking sensitive device information, including device ID, SDK version, and IMEI, over unencrypted HTTP connections. This exposes users to potential tracking and profiling.

CP Plus Intelli Serve transmits usernames and passwords in plain text, making them vulnerable to interception and theft.

Both apps fail to implement basic security measures, such as HTTPS encryption, to protect user data, exposing users to privacy and security breaches.

CP Plus Intelli Serve code evidence of HTTP URL usage

Latvijas Pasts and HaloVPN, popular mobile apps with over 100,000 and 13,300 downloads, pose significant security risks due to their unencrypted transmission of sensitive user data.

Network traffic analysis and code inspection revealed that Latvijas Pasts leaks user geolocation over HTTP. At the same time, HaloVPN exposes device information, including device ID, language, model, name, time zone, and SIM details.

HaloVPN network traffic

The mobile applications i-Boating: Marine Charts & GPS and Texas Storm Chasers are found to be transmitting sensitive user data over unencrypted HTTP connections.

Specifically, i-Boating sends device information like type and OS version. At the same time, Texas Storm Chasers transmits user geolocation, which exposes users to potential security risks, such as eavesdropping and data interception, as malicious actors can easily access their personal information.

Texas Storm Chasers network traffic

The ongoing issue of unencrypted data transmission in mobile apps poses significant security risks to users.

Developers are urged to prioritize app security by using HTTPS for all network traffic, encrypting sensitive data, conducting regular security audits, and being vigilant about user data protection.

Symantec advises users to safeguard their mobile devices against threats by installing a reputable security app, avoiding app downloads from untrusted sources, maintaining up-to-date software, carefully reviewing app permissions, and regularly backing up crucial data.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post Research Unveils Eight Android And iOS That Leaks Users Sensitive Data appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / Cyber Security News / data breach / data privacy / Mobile Apps / Mobile Attacks

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Versa Director Zero-day Vulnerability Let Attackers Upload Malicious Files

8/28/2024

·

gbhackers.com
Versa Networks specializes in successful business. It offers Secure Access Service Edge (SASE), consolidating networking and security services in a single, cloud-based platform.

Enterprises and service providers can redesign their networks to achieve new levels of business success with the help of their SD-WAN and SD-LAN product portfolios.

The Security Research Team of Versa recently unveiled a zero-day vulnerability in its virtualization and service creation platform, Versa Director.

The vulnerability has been tracked as “CVE-2024-39717. ” It’s a privilege escalation flaw with a severity level of “High.”

Technical Analysis

In an unusual move, an Advanced Persistent threat actor has been spotted actively exploiting a high-severity vulnerability (CVE-2024-39717) in Versa Director, a Versa Networks SD-WAN Solution component.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

All Versa SD-WAN customers who access Versa Director without the benefit of implemented system hardening and firewall guidelines are under severe threat from this vulnerability, as threat actors can compromise their network and its resources by evading entry controls using bypass authentication.

This particular vulnerability is still considered “High” in the Common Vulnerability Scoring System (CVSS) because it is relatively likely to result in remote code execution and lateral movement within the affected networks.

Consequently, the CISA has covered this vulnerability in its list of practicing denial-of-service attacks.

The targeting focuses on less hardened and consequently more vulnerable Versa SD-WAN systems, compromising Features such as Network Segmentation, Traffic Routing, and Security Policies, among others.

Affected organizations are warned to use the available security patches, perform additional hardening as recommended by Versa, and consider using other network segmentation and monitoring systems to prevent and detect exploitation attempts.

Besides, the patched version is 22.1.4, and here below, we have mentioned the affected systems and versions:-

Versa Director:
- 21.2.3
- 22.1.2
- 22.1.3
Recommendations

Here below we have mentioned all the recommendations:-
- Apply hardening best practices.
- Upgrade the Director to one of the remediated versions.
- Check to see if the vulnerability has already been exploited.
Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post Versa Director Zero-day Vulnerability Let Attackers Upload Malicious Files appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source
¶¶¶¶¶

CVE/vulnerability / cyber security / Cyber Security News / Network Security / Versa Networks / Zero-day Vulnerability

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine

8/28/2024

·

gbhackers.com

Windows drivers can be abused to bypass security measures. Attackers can exploit vulnerabilities in legitimate drivers or use stolen or forged digital signatures to load malicious drivers into the operating system’s kernel.

These drivers can then interfere with security software, disabling protections and allowing attackers to gain unauthorized access.

To mitigate these risks, Microsoft has implemented measures like driver signature enforcement and attestation signing, but attackers continue to find ways to circumvent these safeguards.

One of the WHQL-signed drivers from the attacks in 2022-2023

Poortry and Stonestop, a persistent threat since 2022, have been employed by various ransomware groups to bypass security measures.

The malicious kernel driver, often obfuscated with packers like VMProtect or Themida, leverages techniques like driver signature enforcement bypass to gain unauthorized access.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Despite Microsoft’s efforts to revoke abused certificates, the attackers have adapted by using forged signatures or leaked certificates.

Poortry’s creators have demonstrated high adaptability, frequently modifying the driver and switching signing certificates to evade detection, underscoring the importance of robust security measures to combat advanced persistent threats.

timeline of the observed signer names used by Poortry’s payload driver over a 15-month period.

Sophos identified attackers deploying Poortry, a malicious tool, with various digital certificates to bypass security measures.

In a single attack, the threat actors used multiple Poortry variants with different certificates (“bopsoft” and “Evangel Technology”) within 30 seconds, likely to evade signature-based detection.

This tactic, called “certificate roulette,” highlights the attackers’ attempt to establish persistence and deploy additional tools like Stonestop for further malicious activity.

Poortry and Stonestop, a sophisticated EDR wiper, employ a multi-phased approach to disable security defenses, where the loader, Stonestop, checks for the driver, Poortry, in the same directory and initiates a handshake via DeviceIoControl.

Poortry then disables EDR products by modifying kernel notify routines and patching callback functions associated with security drivers.

Comparison before and after prologue patching

It also detaches specific device objects from the system’s device stack to render installed filters useless, which allows the wiper to effectively impair EDR capabilities, paving the way for subsequent malicious activities.

The EDR killer first targets security-related processes by sending IOCTL requests to its kernel-mode component.

Then, it uses a list of hardcoded paths to locate and delete critical EDR files, such as EXE or DLL files, by sending another IOCTL request.

Implementation of deleting files by type

The user-mode component can operate in two modes: deleting files by type or by name, likely for flexibility in targeting different EDR products. The hardcoded paths and operation modes likely vary depending on the specific target.

Poortry, initially a tool for unhooking endpoint protection components, has significantly evolved. It now abuses stolen code-signing certificates to bypass Driver Signature Verification, providing rootkit-like capabilities for controlling low-level OS functionality.

It can also wipe security software from the disk, creating a path for ransomware deployments. This highlights the tool’s growing sophistication and potential for causing significant harm.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post Pootry EDR Killer Malware Wipes Out Security Tools From Windows Machine appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

Cyber Attack / EDR Security / Malware / Malware analysis / Vulnerability Analysis

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Airtags Locator Device used to Grab the Stolen Parcel

8/28/2024

·

gbhackers.com

Two suspects have been apprehended for mail theft after being tracked using an AirTag locator device.

The incident unfolded on August 19, 2024, when deputies responded to a theft report at the Los Alamos Post Office.

This innovative use of technology highlights the potential of modern devices in crime prevention and the importance of community vigilance.

Ingenious Plan by Victim

The victim, who had experienced previous mail thefts, devised a clever plan to catch the culprits.

She mailed herself a package containing an AirTag, a small tracking device developed by Apple designed to help locate lost items.

When her mail was stolen again, including the package with the AirTag, she could track its location.

Notably, the victim refrained from confronting the suspects herself, opting instead to involve law enforcement.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

Arrest and Charges

The suspects, 27-year-old Virginia Franchessca Lara from Santa Maria and 37-year-old Donald Ashton Terry from Riverside, were in the 600 block of E. Sunrise Drive in Santa Maria.

Deputies discovered them in possession of the victim’s mail, including the AirTag-equipped package, as well as items believed to be stolen from over a dozen other victims.

Lara faces several felony charges, including possession of checks with intent to commit fraud, fictitious checks, identity theft, credit card theft, and conspiracy. She is currently held at the Northern Branch Jail on $50,000 bail.

Terry, who also faces multiple felony charges, including burglary and identity theft, was booked on additional theft-related warrants from Riverside County. His bail is set at $460,000.

The Sheriff’s Office praised the victim for her proactive approach and emphasized the importance of contacting law enforcement rather than attempting to confront suspects personally.

This case serves as a reminder of the effectiveness of combining technology with appropriate safety measures.

Deputies are continuing their investigation and contacting additional victims who may have been affected by the suspects’ activities.

This incident not only underscores the potential of devices like AirTags in aiding law enforcement but also highlights the critical role of community members in crime prevention.

As technology continues to evolve, such innovative solutions may become increasingly common in the fight against crime, offering new tools for individuals and law enforcement agencies.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post Airtags Locator Device used to Grab the Stolen Parcel appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / Cyber Security News

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
BlackByte Ransomware Exploits VMware ESXi Flaw in Latest Attack Wave

8/28/2024

·

thehackernews.com

The threat actors behind the BlackByte ransomware group have been observed likely exploiting a recently patched security flaw impacting VMware ESXi hypervisors, while also leveraging various vulnerable drivers to disarm security protections. “The BlackByte ransomware group continues to leverage tactics, techniques, and procedures (TTPs) that have formed the foundation of its tradecraft since its
Go to source

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Researchers Disclosed 20 Vulnerabilities Exploited To Attack ML Used In Orgs

8/28/2024

·

gbhackers.com

The MLOps pipeline automates the machine learning lifecycle, from model training to deployment, which involves defining the pipeline using Python code, monitoring for dataset or model parameter changes, training new models, evaluating them, and deploying successful models to production.

Model registries like MLFlow act as version control systems for ML models, allowing for easy tracking and management.

Model-serving platforms like Seldon Core provide a robust way to deploy and serve models in production, eliminating the need for custom web applications and simplifying the process for ML engineers.

Steps of a Common MLOps Pipeline

MLOps platforms can be vulnerable to both inherent and implementation vulnerabilities.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Inherent vulnerabilities arise from the underlying formats and processes used on these platforms, such as the unsafe use of the Pickle format in Python, which are challenging to address as they are often inherent to the technology itself.

Implementation vulnerabilities, on the other hand, are specific to a particular MLOps platform’s implementation and can be mitigated through patches or updates.

Understanding these vulnerabilities is crucial for securing MLOps environments and preventing attacks.

six of the most popular open-source MLOps platforms

The research identified inherent vulnerabilities in MLOps platforms that enable attackers to execute arbitrary code by embedding code in machine learning models (e.g., Keras H5 models) that execute upon loading.

Similarly, some dataset libraries (e.g., Hugging Face Datasets) allow code execution when loading datasets, and attackers can exploit Cross-Site Scripting (XSS) vulnerabilities in ML libraries (e.g., CVE-2024-27132 in MLFlow) to inject malicious JavaScript code that escapes the browser sandbox and executes arbitrary Python code on the Jupyter server.

Attackers serving a malicious MLFlow recipe with an XSS payload

The significant implementation vulnerabilities in MLOps platforms include a lack of authentication, container escape, and inherent immaturity, while many platforms lack authentication mechanisms, allowing unauthorized users to execute arbitrary code through ML pipelines.

Container escape vulnerabilities enable attackers to gain control of the container environment and potentially spread to other resources.

The immaturity of MLOps platforms, especially open-source ones, contributes to a higher number of security vulnerabilities.

Poisoning adjacent ML models

According to JFrog, the map illustrates the vulnerabilities of various MLOps features to potential attacks.

For instance, platforms that enable model serving are susceptible to code injection attacks if they are not adequately secured.

To mitigate this risk, it’s imperative to isolate the model execution environment and implement robust container security measures.

Additionally, the map highlights other vulnerabilities in features like data pipelines, model training, and monitoring, emphasizing the need for comprehensive security practices throughout the MLOps lifecycle.

XSSGuard is a JupyterLab extension that mitigates XSS attacks by sandboxing susceptible output elements, which can be installed from the JupyterLab Extension Manager, while Hugging Face Datasets version 2.20.0 disables automatic code execution by default.

Users should upgrade to this version and use explicit flags for code execution when loading datasets.

To deploy MLOps platforms securely, check for supported features, isolate components in Docker containers, enable authentication, and implement strict policies for model uploads and execution.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial

The post Researchers Disclosed 20 Vulnerabilities Exploited To Attack ML Used In Orgs appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

Cross site Scripting / CVE/vulnerability / cyber security / MLOps Security / Vulnerability Assessment / xss

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Patchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs

8/28/2024

·

gbhackers.com

The cyber espionage group Patchwork, also known by various aliases, has been active since 2009, primarily targeting Asian organizations in sectors such as government, military, and industry.

Based in South Asia, the group has been conducting cyber-espionage campaigns for over a decade, and their activities have focused on compromising sensitive information from their targets, highlighting the group’s persistent threat to the region’s cybersecurity landscape.

Recently, a new variant was discovered that distributed two steganographic components for screenshotting and file information collection. While the Spyder downloader’s core functionality remains unchanged, the code structure and C&C communication format have been modified.

The attack process involves the Spyder downloader remotely downloading encrypted ZIP packages containing subsequent components and executing them.

The steganographic components, hidden within the downloaded files, are used to capture screenshots and gather file information, potentially compromising sensitive data.

attack process of the Spyder downloader and the steganographic components

The samples indicate the presence of three potentially malicious files. “eac_launcher.exe” is a spyware downloader identified by its MD5 hash. “IntelPieService.exe” is a screenshot component that could be used for unauthorized data collection.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN -14-day free trial

“RstMwService.exe” is a file decryption component, suggesting its potential involvement in ransomware activities, which were compiled at various times between February and June 2024 and have been associated with malicious activities.

It disguises itself as a Word document and injects configuration data directly into the code, unlike previous versions that encrypted it, by utilizing traffic spoofing techniques to mimic traffic to legitimate websites like Google APIs and Github.

.text segments of multiple system DLLs

It also attempts to tamper with system DLLs and schedules self-replication tasks. Communication with the command and control server (“C2”) involves sending a Base64-encoded JSON string with the machine’s unique identifier and a potentially version-related string.

This initial contact determines if the downloader should gather information about the infected device and potentially download additional components.

The malware first checks with the C2 server to see if it needs to collect device information. If yes, it collects the hostname, user ID, OS version, and antivirus information and sends it back.

Then it enters a loop, generating fake traffic and querying the C2 server again, and if the response indicates new components, it extracts the download category, zip name, and password from the response.

contents of the middle field decrypting in CyberChef

It constructs a download request and retrieves the zip file containing the components by extracting the components to a specific directory and executing them using CreateProcessW.

Spyder Downloader, a tool used by Patchwork Group, delivers two steganographic components with separate functionalities. The first component, IntelPieService.exe, captures screenshots and sends them to a server, while the second component, RstMwService.exe, steals file information and stores it in a local database.

According to the QiAnXin Threat Intelligence Center, both components share the same digital signature and are downloaded from different C2 servers, allowing attackers to selectively deploy follow-up components based on their targets.

Protect Your Business with Cynet Managed All-in-One Cybersecurity Platform – Try Free Trial

The post Patchwork Actors Using Weaponized Encrypted Zip Files to Attack Orgs appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

Go to source

¶¶¶¶¶

cyber security / Cyber Security News / Malware

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

Technical Analysis

Recommendations

Ingenious Plan by Victim

Arrest and Charges