-
In a previously unreported incident, one of China’s maneuvering satellite was tracked and approached by a Russian one.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
An Iranian threat actor affiliated with the Ministry of Intelligence and Security (MOIS) has been attributed as behind destructive wiping attacks targeting Albania and Israel under the personas Homeland Justice and Karma, respectively. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-0842 (formerly DEV-0842) by
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
In the big data era, pre-training large vision transformer (ViT) models on massive datasets has become prevalent for enhanced performance on downstream tasks.
Visual prompting (VP), introducing learnable task-specific parameters while freezing the pre-trained backbone, offers an efficient adaptation alternative to full fine-tuning.
However, the VP’s potential security risks remain unexplored. The following cybersecurity analysts from Tsinghua University, Tencent Security Platform Department, Zhejiang University, Research Center of Artificial Intelligence, Peng Cheng Laboratory recently uncovered a novel backdoor attack threat for VP in a cloud service scenario, where a threat actors can attach or remove an extra “switch” prompt token to toggle between clean and backdoored modes stealthily:-
- Sheng Yang
- Jiawang Bai
- Kuofeng Gao
- Yong Yang
SWARM – Switchable Backdoor Attack
Researchers’ proposed Switchable Attack against pre-trained Models (SWARM) optimizes a trigger, clean prompts, and the switch token via clean loss, backdoor loss, and cross-mode feature distillation, ensuring normal behavior without the switch while forcing target misclassification when activated.
ANYRUN malware sandboxβs 8th Birthday Special Offer: Grab 6 Months of Free Service
Experiments across visual tasks demonstrate SWARM’s high attack success rate and evasiveness.
Here an offending cloud service provider acts as a threat actor, this is based on existing backdoor attack scenarios.
These users submit task datasets and pre-trained models to the threat actor’s service.
They also apply the trained API of attackers while attempting to identify and mitigate backdoors.
The opponent does not manage user samples but controls prompt inputs. In normal mode, a model should handle triggered patterns without any detection.Β
In backdoor mode, it should have a high attack success rate. This attack aims at hiding triggers by predicting correctly on clean samples and misclassifying them when a “switch” trigger is added.
.webp)
Clean and Backdoor mode (Source – Arxiv) The threat actor understands the downstream dataset and tunes prompts accordingly through visual prompting.
Visual prompting adds learnable prompt tokens after the embedding layer so that during training only these task-specific parameters are modified.
Users may use augmented clean data and mitigation techniques such as Neural Attention Distillation (NAD) and I-BAU to address this risk.
While, the researchers’ experiments reveal that SWARM achieves 96% ASR against NAD and over 97% against I-BAU, as a result outperforming baseline attacks by a significant margin.
This shows SWARM’s ability to evade detection and mitigate threats, which consequently increases the danger to victims.
Researchers propose a new brand of backdoor attack on adapting pre-trained vision transformers with visual prompts, which insert an extra switch token for making invisible transitions between clean mode and backdoored one.Β
SWARM indicates a new realm of attack mechanisms while also providing acceleration for future defense research.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post SWARM – Switchable Backdoor Attack Against Pre-trained Models appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
A critical remote code execution vulnerability has been discovered in the git clone which was assigned with CVE-2024-32002 and the severity has been given as 9.0 (Critical).
This particular vulnerability existed in the clone command that is widely used.
Git released a security advisory last week which stated that about a Remote Code Execution.
In addition to this, the vulnerability was described to be existing due to the submodules that can be drafted in a particular way that could result in remote code execution.
However, this vulnerability has been fixed by git and patched versions have been released.
Vulnerability Analysis – CVE-2024-32002
According to the reports shared with Cyber Security News, git employs submodules which are repositories nested within other repositories.
Every submodule has a designated directory path within the main directory which is tracked for ensuring changes are recorded accurately.
On observing further, it was discovered that there were case-insensitive filesystems in the default settings on Windows (A/modules/x) and macOS (a/modules/x).
Both of these paths are treated the same which is the main core reason behind the remote code execution.
In addition to this, symlinks or symbolic links are file system objects that act as pointers to other files or directories.
However, this symlink can be used for referencing other parts of the repository making it exploitable for malicious purposes.
ANYRUN malware sandboxβs 8th Birthday Special Offer: Grab 6 Months of Free Service
Source Code Analysis
As per the commit of the fix of this vulnerability, there were changes only to two files which were builtin/submodule–helper.c and t/t7406-submodule-update.sh.
Git Commit (Source: Amalmurali.net) Additionally, the message on the commit indicated that “On case-insensitive filesystems, however, we blindly replace a directory that has been created as part of the clone operation with a symlink when the path to the latter differs only in case from the formerβs path…..we must be careful not to follow symbolic links.
Otherwise we may follow a symbolic link pointing to a gitdir (which are valid symbolic links!) e.g. while cloning.”
builtin/submodule–helper.c file and t/t7406-submodule-update.sh
The change on this file contained the clone_submodule which handles the cloning process for submodules.
There was a new function dir_contains_only_dotgit which checks if a directory contains only a .git file or directory.
Further, the clone_submodule was added with a Git check to determine whether the submodule directory exists or is empty.
In case of empty, the operation is aborted to avoid overwriting. Whereas the t/t7406-submodule-update.sh is a test script that has multiple information like Global configuration, hook repository setup, and main repository setup.
Exploitation Of The RCE
With all the information, the root issue existed in the case-insensitive filesystems treating paths like A/modules/x and a/modules/x as identical.
To exploit this, a malicious symlink must be crafted within the submodule, which is named with a case variation of the submodule’s path, but at the end, it points to the .git/ directory.
When a victim clones the malicious repository, Git creates a directory for the submodule, which is supplied with a symlink that makes the malicious symlink to be replaced in the newly created directory.
If the script is crafted in a different way, it could lead to executing remote code on the vulnerable instance system.
A proof of concept has been published by the researcher, which can be triggered using the following command:
git clone –recursive git@github.com:amalmurali47/git_rce.git
.webp)
PoC on Windows (Source: GitHub/@amalmurali47) .webp)
PoC on Mac (Source: GitHub/@amalmurali47) Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post Critical Git Vulnerability Let Attackers Execute Remote Code : PoC Published appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
In the final episode in a three-part series, we revisit the guns-vs.-butter debate and take another look at the consequences of Washington’s “porcupine” strategy for Taiwan’s defense.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
In a recent encounter, the Akira ransomware group exploited a novel privilege escalation technique, where the attackers infiltrated the victim’s virtual environment to steal the NTDS.dit file, a critical file containing domain user accounts and passwords stored on domain controllers.
The stolen information likely granted them escalated privileges within the network, potentially allowing them to move laterally and launch a ransomware attack more quickly.Β
Akira, a cyber threat actor active since March 2023, targets SMEs globally to infiltrate networks by exploiting weak VPNs (compromised credentials or vulnerabilities), as it breached an agricultural company through an unpatched single-factor VPN.
ANYRUN malware sandboxβs 8th Birthday Special Offer: Grab 6 Months of Free Service
Once inside, they leveraged a remote code execution vulnerability (CVE-2021-21972) in the VMware vCenter server to upload a malicious file, implant a reverse shell, and gain full remote access.
Akira exploited a remote code execution (RCE) vulnerability in the victim’s VMware vCenter server to upload a malicious JSP file named “healthcheck_beat.jsp,” which likely contained a web shell script that allowed Akira to establish a reverse shell connection back to their attacker machine using NetCat.
With this foothold, it used stolen vCenter administrator credentials to create a new virtual machine on the ESXi hypervisor, providing Akira with a stealthy environment to launch further attacks within the compromised network, potentially evading detection by security tools.Β
It targeted the Active Directory database (NTDS.dit) on a domain controller to steal credentials and gain lateral movement, as they achieved this by shutting down the controller’s VM, copying the VMDK files to another VM, and then extracting the NTDS.dit and SYSTEM hive files.
.webp)
The attack chain identified by S-RM during its forensic investigation into the incident. The SYSTEM hive provided the decryption key for the password hashes stored in NTDS.dit, allowing Akira to crack passwords or use pass-the-hash techniques, and with these stolen credentials, it escalated privileges to a domain administrator account and compromised additional systems within 6 hours.
According to S-RM, it deployed ransomware on a target network by exploiting legacy infrastructure, where the attacker leveraged a legitimate backup client process, beremote.exe, to deliver the ransomware binary to servers.Β
This method bypassed security defenses because the backup client was a trusted process already integrated into the system’s environment, where exploiting remote backups for ransomware deployment is uncommon as attackers usually aim to destroy backups to prevent recovery.
Akira ransomware, like the China-backed UTA0178, uses advanced techniques to bypass security, escalate privileges, and move laterally within a network by exploiting unpatched vulnerabilities and targeting weaknesses in multi-factor authentication.Β
To defend against such attacks, organizations must implement a robust patch management system, enforce multi-factor authentication, and conduct regular security assessments, which can help prevent attackers from gaining a foothold and quickly spreading through the network.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers
The post Akira Ransomware Escalates Privilege To Exfiltrate Domain Controller Files appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
The U.S. Securities and Exchange Commission (SEC) has made changes to Regulation S-P that require financial companies to report data leaks within 30 days. This is a big step toward protecting consumers.
This new rule, which goes into force on May 15, 2024, is meant to strengthen and update the protections for consumer financial information.
ANYRUN malware sandboxβs 8th Birthday Special Offer: Grab 6 Months of Free ServiceBackground on Regulation S-P
Since its introduction in 2000, SEC Regulation S-P has required broker-dealers, investment companies, and licensed investment advisers to protect customer records and information with written policies and procedures.
The rule also explains how to properly delete consumer report information and requires privacy policy notices and opt-out choices.
Over the years, improvements in technology have made data breaches more likely, which is why these changes were needed.
Key Amendments to Regulation S-P
Incident Response Program
The changes say that institutions that are protected must create, use, and keep up with an incident response program.
This program needs to be able to find, stop, and fix instances of customer data being accessed or used without permission. Some critical parts of the incident response method are:
- How to Find and Respond: Steps to find and stop people from accessing or using customer information without permission.
- Steps to stop more unauthorized entry or use are called containment and control.
- Oversight of Service Providers: Rules to make sure service providers do their jobs right and are watched over.
Customer Notification Requirement
One of the changes’ most essential parts is that people who will be impacted must be notified promptly.
When covered organizations learn of a breach, they have 30 days to tell people whose sensitive information has been accessed or used without their permission. This must be in the notice:
- Details of the Incident: Information about what kind of breach it was and how big it was.
- Breached Data: Details about the data that was lost or stolen.
- Protective Measures: Advice on how people who are impacted can keep themselves safe.
Information with a broader range
The changes also allow Regulation S-P to address more types of information.
This includes private, non-public information that the bank gathers about its customers and information it gets from other banks about their customers.
Additional Provisions
Along with these important changes, the changes to Regulation S-P also include the following:
- Protections and Rules for Disposal: Covers all nonpublic personal information that was added.
- Needs for Keeping Records: Covered institutions, but not funding websites, must keep written records that show they follow the rules for disposal and safety.
- Privacy Notice Every Year: Under the FAST Act, institutions don’t have to send a yearly privacy notice if certain conditions are met.
- Extension to Transfer Agents: The rules for both protection and disposal now apply to transfer agents who are registered with the SEC or another regulatory body.
The changes the SEC made to Regulation S-P are a big step toward keeping people’s banking information safe.
By requiring financial companies to report data breaches within 30 days, the SEC hopes to ensure that customers are quickly informed and can take the steps they need to stay safe.
These changes show how data security is changing and how vital means are needed to protect private data in a world that is becoming more and more digital.
Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackersThe post Financial Organizations Need To Disclose Data Breach Within 30-Days appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
-
Multiple threat actors are weaponizing a design flaw in Foxit PDF Reader to deliver a variety of malware such as Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. “This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands,” Check Point said in a technical report. “This exploit has been used by multiple
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
ΒΆΒΆΒΆΒΆΒΆ
CYBERSECURITY / DEFENSE / INTELLIGENCE
