SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2022-02-22 15:18:36	Enterprise IoT Security Firm Phosphorus Raises $38 Million (lien direct)	Nashville, TN-based IoT security firm Phosphorus Cybersecurity has raised $38 million in a Series A funding round led by SYN Ventures and MassMutual Ventures. Phosphorus discovers, delivers timely and automated patching and credential rotation for IoT devices in what it calls the 'Security of Things'.	Patching Conference	APT 35 APT 35
	2022-02-16 13:00:59	Vendors are Fixing Security Flaws Faster (lien direct)	Google’s Project Zero is reporting that software vendors are patching their code faster. tl;dr In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago. In addition to the average now being well below the 90-day deadline, we have also seen a dropoff in vendors missing the deadline (or the additional 14-day grace period). In 2021, only one bug exceeded its fix deadline, though 14% of bugs required the grace period. Differences in the amount of time it takes a vendor/product to ship a fix to users reflects their product design, development practices, update cadence, and general processes towards security reports. We hope that this comparison can showcase best practices, and encourage vendors to experiment with new policies. ...	Patching
	2022-02-16 11:25:51	Windows Privilege Escalation: SpoolFool (lien direct)	Introduction Oliver Lyak posted a write-up about a Windows Privilege Escalation vulnerability that persisted in Windows systems even after patching of previous vulnerabilities in Print	Vulnerability Patching
	2022-02-04 15:55:47	How to Protect Cloud Workloads from Zero-day Vulnerabilities (lien direct)	Protecting cloud workloads from zero-day vulnerabilities like Log4Shell is a challenge that every organization faces.Â When a vulnerability is published, organizations can try to identify impacted artifacts through software composition analysis, but even if theyâre able to identify all impacted areas, the patching process can be cumbersome and time-consuming. As we saw with Log4Shell, this […]	Vulnerability Patching
	2022-02-02 10:10:00	CVSS 9.9-Rated Samba Bug Requires Immediate Patching (lien direct)	Open source networking protocol exposed to low complexity attacks	Patching		★★★
	2022-01-20 11:00:00	Twitter Mentions More Effective Than CVSS at Reducing Exploitability (lien direct)	Kenna Security research urges organizations prioritize patching in new ways	Patching
	2022-01-19 22:45:00	Anomali Cyber Watch: Russia-Sponsored Cyber Threats, China-Based Earth Lusca Active in Cyberespionage and Cybertheft, BlueNoroff Hunts Cryptocurrency-Related Businesses, and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, China, HTTP Stack, Malspam, North Korea, Phishing, Russia and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Earth Lusca Employs Sophisticated Infrastructure, Varied Tools and Techniques (published: January 17, 2022) The Earth Lusca threat group is part of the Winnti cluster. It is one of different Chinese groups that share aspects of their tactics, techniques, and procedures (TTPs) including the use of Winnti malware. Earth Lusca were active throughout 2021 committing both cyberespionage operations against government-connected organizations and financially-motivated intrusions targeting gambling and cryptocurrency-related sectors. For intrusion, the group tries different ways in including: spearphishing, watering hole attacks, and exploiting publicly facing servers. Cobalt Strike is one of the group’s preferred post-exploitation tools. It is followed by the use of the BioPass RAT, the Doraemon backdoor, the FunnySwitch backdoor, ShadowPad, and Winnti. The group employs two separate infrastructure clusters, first one is rented Vultr VPS servers used for command-and-control (C2), second one is compromised web servers used to scan for vulnerabilities, tunnel traffic, and Cobalt Strike C2. Analyst Comment: Earth Lusca often relies on tried-and-true techniques that can be stopped by security best practices, such as avoiding clicking on suspicious email/website links and or reacting on random banners urging to update important public-facing applications. Don’t be tricked to download Adobe Flash update, it was discontinued at the end of December 2020. Administrators should keep their important public-facing applications (such as Microsoft Exchange and Oracle GlassFish Server) updated. MITRE ATT&CK: [MITRE ATT&CK] Drive-by Compromise - T1189 \| [MITRE ATT&CK] Exploit Public-Facing Application - T1190 \| [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Command and Scripting Interpreter - T1059 \| [MITRE ATT&CK] Scheduled Task - T1053 \| [MITRE ATT&CK] System Services - T1569 \| [MITRE ATT&CK] Windows Management Instrumentation - T1047 \| [MITRE ATT&CK] Account Manipulation - T1098 \| [MITRE ATT&CK] BITS Jobs - T1197 \| [MITRE ATT&CK] Create Account - T1136 \| [MITRE ATT&CK] Create or Modify System Process - T1543 \| [MITRE ATT&CK] External Remote Services - T1133 \| [MITRE ATT&CK] Hijack Execution Flow	Ransomware Malware Tool Vulnerability Threat Patching Guideline	APT 41 APT 38 APT 29 APT 28 APT 28
	2022-01-13 00:18:27	Meeting Patching-Related Compliance Requirements with TuxCare (lien direct)	Cybersecurity teams have many demands competing for limited resources. Restricted budgets are a problem, and restricted staff resources are also a bottleneck. There is also the need to maintain business continuity at all times. It's a frustrating mix of challenges – with resources behind tasks such as patching rarely sufficient to meet security prerogatives or compliance deadlines. The multitude	Patching
	2022-01-12 18:27:37	Wormable Windows Vulnerability (CVE-2022-21907) Patched by Microsoft (lien direct)	FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and "recommends prioritizing the patching of affected servers".Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage?FortiGuard Labs is currently investigating protection and will update this Threat Signal once coverage information becomes available.Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"=dword:00000001This mitigation does not apply to the other affected versions.	Malware Vulnerability Threat Patching Guideline
	2022-01-11 22:42:18	First Patch Tuesday of 2022 Brings Fix for a Critical \'Wormable\' Windows Vulnerability (lien direct)	Microsoft on Tuesday kicked off its first set of updates for 2022 by plugging 96 security holes across its software ecosystem, while urging customers to prioritize patching for what it calls a critical "wormable" vulnerability. Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in	Vulnerability Patching
	2022-01-11 12:29:57	How Can You Leave Log4J in 2021? (lien direct)	With the last month of 2021 dominated by the log4J vulnerabilities discovery, publication, and patches popping up in rapid succession, odds are you have patched your system against Log4J exploitation attempts. At least some systems, if not all. You might even have installed the latest patch – at the time of writing, that is 2.17.1, but, if the last rapid patching cycle persists, it might have	Patching
	2022-01-07 22:16:03	EoL Systems Stonewalling Log4j Fixes for Fed Agencies (lien direct)	End of life, end of support, pandemic-induced shipping delays and remote work, scanning failures: It's a recipe for a patching nightmare, federal cyberserurity CTO Matt Keller says.	Patching
	2021-12-21 11:13:37	Warning over patching Active Directory takeover flaws (lien direct)	Customers of Microsoft are being cautioned to patch a couple of Active Directory domain service privilege escalation flaws that together could allow bad actors takeover of Windows domains. The two security updates go by CVE-2021-42287 and CVE-2021-42278 and were originally reported by Andrew Bartlett of Catalyst IT. The urgency to patch these security vulnerabilities escalated as a new […]	Patching
	2021-12-21 10:54:50	Understanding the Impact of Apache Log4j Vulnerability (lien direct)	Posted by James Wetter and Nicky Ringland, Open Source Insights Team Editors Note:The below numbers were calculated based on both log4j-core and log4j-api, as both were listed on the CVE. Since then, the CVE has been updated with the clarification that only log4j-core is affected.The ecosystem impact numbers for just log4j-core, as of 19th December are over 17,000 packages affected, which is roughly 4% of the ecosystem. 25% of affected packages have fixed versions available.The linked list, which continues to be updated, only includes packages which depend on log4j-core.##More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. This exploitable feature was enabled by default in many versions of the library.This vulnerability has captivated the information security ecosystem since its disclosure on December 9th because of both its severity and widespread impact. As a popular logging tool, log4j is used by tens of thousands of software packages (known as artifacts in the Java ecosystem) and projects across the software industry. User's lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability. Using Open Source Insights, a project to help understand open source dependencies, we surveyed all versions of all artifacts in the Maven Central Repository to determine the scope of the issue in the open source ecosystem of JVM based languages, and to track the ongoing efforts to mitigate the affected packages.How widespread is the log4j vulnerability?As of December 16, 2021, we found that 35,863 of the available Java artifacts from Maven Central depend on the affected log4j code. This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability. (These numbers do not encompass all Java packages, such as directly distributed binaries, but Maven Central is a strong proxy for the state of the ecosystem.)As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%.	Vulnerability Patching
	2021-12-20 19:29:59	Google Finds 35,863 Java Packages Using Defective Log4j (lien direct)	The computer security industry is bracing for travel on long, bumpy roads littered with Log4j security problems as experts warn that software dependency patching hiccups will slow global mitigation efforts.	Patching
	2021-12-20 10:43:00	New Log4j Patch Released to Fix DoS Flaw (lien direct)	CISA updates patching guidance to demand immediate action	Patching
	2021-12-17 22:01:12	December 2021 Patch Tuesday: AppX Installer Zero-day, Multiple Critical Vulnerabilities (lien direct)	Itâs the last Patch Tuesday update of 2021, and as with many other updates this year, this monthâs list includes important ones â among them a zero-day (CVE-2021-43890 in AppX installer), multiple critical vulnerabilities and a variety of attack types utilized in several Microsoft product families â highlighting once again that patching and prioritization are […]	Patching
	2021-12-14 17:21:51	How to Buy Precious Patching Time as Log4j Exploits Fly (lien direct)	Podcast: Cybereason shares details about its vaccine: a fast shot in the arm released within hours of the Apache Log4j zero-day horror show being disclosed.	Patching
	2021-12-13 20:08:46	Apple Patches 42 Security Flaws in Latest iOS Refresh (lien direct)	Apple has released a major point-update to its flagship iOS mobile operating system, beefing up app privacy protections and patching at least 42 security defects that expose users to malicious hacker attacks.	Patching
	2021-12-07 15:08:56	NICKEL - Targeting Organizations Across Europe, North America, and South America (lien direct)	FortiGuard Labs is aware of reports relating to NICKEL, a state sponsored group targeting varying interests in Europe, North and South America. NICKEL is a state sponsored group operating out of China and is targeting governmental organizations, diplomatic groups and non governmental organizations in 29 countries.NICKELs' modus operandi is the usage of exploits on unpached systems to compromise vulnerable systems and their unpatched services. Observed exploits used by NICKEL included the exploitation of services such as Microsoft Exchange, Microsoft SharePoint, and Pulse Secure VPN. Microsoft filed pleadings with the United States District Court of Eastern Virginia on December 2nd to seize control of servers used by NICKEL.What are the Technical Details?NICKEL malware variants use Internet Explorer COM interfaces to receive instructions from predefined command and control (C2) servers. The malware will then connect to the web-based C2 servers to check for a specific string located on these servers. Once confirmed, the malware will decode a Base64 encoded blob that will load shellcode for further exploitation.NICKEL malware is capable of capturing system information such as the IP address, OS version, system language, computer name and username of the current signed in user. It also contains backdoor functionality to execute commands and to upload and download files. NICKEL then uses the stolen and compromised credentials of the targeted victim to login to Microsoft 365 accounts via browser logins to exfiltrate victim emails for further damage.What Other Names is NICKEL Known As?According to Microsoft - NICKEL is also known as APT15, APT25, and Ke3Chang.Is this Limited to Targeted Attacks?Yes. Attacks are limited to varying targets in specific countries and verticals.What Countries were Targeted?They are:Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, United Kingdom, United States of America, and Venezuela.What is the Status of Protections?FortiGuard Labs provides the following AV coverage used in this campaign as:W32/Staser.COFE!trW32/Staser.CBQX!trW32/NetE.VH!trW32/BackDoor.U!trAll network IOC's are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?Because it has been reported that NICKEL obtains access via unpatched and vulnerable systems, It is important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spear phishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spear phishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.	Malware Patching Guideline	APT 15 APT 25	★★★★
	2021-12-03 17:58:53	Mozilla patches critical “BigSig” cryptographic bug: Here\'s how to track it down and fix it (lien direct)	Mozilla's cryptographic code had a critical bug. Problem is that numerous apps are affected and may need patching individually.	Patching
	2021-11-30 11:24:48	Recent APT37 Activity and Chinotto, a Multi Platform Infostealer (lien direct)	FortiGuard Labs is aware of reports of recent activity from APT37. APT37 is a nation-state threat actor attributed to North Korea. The latest discovery by researchers at Kaspersky Labs has revealed a sophisticated, targeted attack that utilizes the stolen credentials from Facebook and email accounts belonging to an associate of the targeted victim.The victim was socially engineered and compelled into opening rar zipped attachments purporting to be from the trusted sender that contained a malicious Word document. The Word document is multi stage in design, and uses a malicious macro to initiate the first stage. The first stage detects the presence of AV software, and if AV is not present will initiate the second stage which is a shellcode that will download the final third stage payload.Ultimately, after several months of dwelling undetected on the infected system, the backdoor will then download the multiplatform infostealer, "Chinotto." Windows variants were sent via spearphishing emails and Android variants were sent via SMShing texts.What Operating Systems are Affected?Chinoto targets Windows and Android based operating systems.Is This Limited to Targeted Attacks?Yes.How Serious of an Issue is This?Medium.What is APT37?APT37 (also known as GROUP123 and Scarcruft), attributed to North Korean threat actors, has been in operation for several years. During that time, APT37 has been attributed to the Adobe Flash zero-day attack (CVE-2018-4878) that targeted researchers based in South Korea who were performing research on North Korea. APT37 focuses on various organizations with an interest in North Korea.APT37 is famous for exploiting vulnerabilities in the Hangul Word Processor (HWP) which is commonly used in South Korea, especially by those in the government sector. Analysis suggests that this is a very detailed and sophisticated threat actor with an arsenal of malware and exploits at their disposal that targets various verticals and organizations with specially crafted campaigns. Other vectors besides the Adobe and Hangul vulnerabilities observed were the usage of Microsoft vulnerabilities as well, specifically CVE-2017-0199 (Microsoft Office UAC bypass) and CVE-2015-2545 (Microsoft Office Encapsulated PostScript (EPS). For further details on the exploitation of HWP documents and campaigns previously analyzed, please refer to our blog here.What is the Status of Coverage?FortiGuard Labs has AV coverage in place for publicly available samples as:VBA/Agent.AAK!trW32/PossibleThreatVBA/Agent.AF3C!trW32/Agent.ACDD!trPossibleThreat.MUPossibleThreat.PALLAS.HW32/FRS.VSNTGF20!trW32/Bsymem.MSJ!trAll network IOCs are blocked by the WebFiltering client.Any Other Suggested Mitigation?Due to the ease of disruption and the potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc. it is important to keep all AV and IPS signatures up to date.It is also important to ensure that all known vendor vulnerabilities are addressed and updated to protect from attackers having a foothold within a network. Attackers are well aware of the difficulty of patching and if it is determined that patching is not feasible at this time, an assessment should be conducted to determine risk.Also, as this campaign was sent via spearphishing and smsshing - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing/smishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing/spearphishing/smishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Si	Malware Threat Patching Cloud	APT 37
	2021-11-29 15:31:33	WFH security: How to protect your remote endpoints from vulnerabilities (lien direct)	Many organizations lack an effective patch management program, especially when it comes to patching remote systems, says Action1.	Patching
	2021-11-23 20:30:00	Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Emotet malware is back and rebuilding its botnet via TrickBot (published: November 15, 2021) After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks. Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated. *For Anomali ThreatStream Customers* To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream. MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 \| [MITRE ATT&CK] Shared Modules - T1129 \| [MITRE ATT&CK] Data Encrypted - T1022 \| [MITRE ATT&CK] Ingress Tool Transfer - T1105 \| [MITRE ATT&CK] Automated Collection - T1119 Tags: Emotet, Trickbot, phishing, ransomware Wind Turbine Giant Offline After Cyber Incident (published: November 22, 2021) The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near	Ransomware Spam Malware Tool Vulnerability Threat Patching
	2021-11-16 13:21:08	New secret-spilling hole in Intel CPUs sends company patching (again) (lien direct)	Researchers figure out how to obtain the "fuse encryption key" unique to each CPU.	Patching
	2021-11-12 19:27:28	PSA: Apple isn\'t actually patching all the security holes in older versions of macOS (lien direct)	Big Sur got a fix 234 days before Catalina did, although both are supported.	Patching
	2021-11-10 12:34:31	Recent Updates to the OWASP Top Ten Web Application Security Risks (lien direct)	The Open Web Application Security Project (aka OWASP) recently announced its latest updates to the venerable OWASP Top Ten list. This publication is meant to bring attention to the most common classes of software-related security issues facing developers and organizations in the hopes of helping them to better plan for and address potential high-severity issues in their codebases. While not specifically an industry standard, it is highly regarded among the security community and is regularly combined with findings from application security vendors and researchers to create a reference point for secure coding practices. The newest edition does make updates to certain conventions but also highlights the consistent issues seen throughout the years, such as injection attacks and insecure components. Initially notable is the more generalized approach to categorization and naming, with OWASP describing the motivation for these changes as a “focus on the root cause over the symptom.” Given the complexity of modern web applications and software stacks, this new focus is a prudent reminder that focusing solely on the high-level presentation of flaws within complicated vulnerability taxonomies will only go so far in preventing breaches, and that true progress at any scale will only be made by remediations that address the underlying cause of discovered issues. Supporting this focus is the inclusion of the new category A04:2021 – Insecure Design, bringing attention to the ever-growing need to address vulnerable application architectures and software flaws much earlier in the development process. While there has been considerable discussion about the industry's need to “shift left” for the past several years, it is apparent that a lack of threat modeling and overall secure design continues to be a major issue for applications of all types. It is nice to see these concerns formally addressed at this level in the broader context of security risk awareness. The addition of A08:2021 – Software and Data Integrity Failures and the higher ranking for A06:2021 – Vulnerable and Outdated Components both appear to be in a similar vein, further underscoring the need for organizations to prioritize the security controls associated with the development pipeline and surrounding technologies as much as the specifics of the application code itself. The frameworks, software libraries, and other tools that development teams rely on are updated with increasing speed. It is easier than ever for organizations to fall behind on patching and management of these supporting components. These areas will continue to be points of security concern for years to come, and the industry should continue the work of better addressing the role of tooling and pipeline concerns, as well as application threat modeling, within the general scope of security issues across the board. The movement of A01:2021 – Broken Access Control to the number one position, while hardly a surprise, is reason for concern primarily due to the obstacles associated with detecting issues of this nature. Underlying many access control flaws are fundamental application logic errors, most of which are currently difficult, if not impossible, to discover with automated scanning of any kind. As most companies are unable to have penetration testers examine every release, applications may only undergo thorough manual security audits relatively infrequently, leaving a large footprint of possible flaws whose discovery and remediation times are measured in months, or even years. Further complexity is introduced as modern web technologies move toward microservice architectures and application containerization, creating a need to test for access control issues related to the nuances of these components as well. While teams may do their best to adhere to a least-privilege model, it quickly becomes more difficult to follow best practice guidelines as additional endpoints and APIs are added and role managemen	Vulnerability Threat Patching
	2021-10-23 16:00:00	Topic-specific example 11/11: secure development (lien direct)	The final topic-specific policy example from ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author. Despite the context, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and potentially substantial information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so are the information risks. Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and these are just a few random illustrative examples plucked from the millions of such activities going on right now. The sheer number and variety of possibilities is bewildering, so how on earth can one draft a sensible policy?As is the way with ISO27k, the trick is to focus on the information	Patching Guideline
	2021-10-19 15:00:00	Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More (lien direct)	The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Trending Cyber News and Threat Intelligence Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia (published: October 18, 2021) A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration. Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring. MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 \| [MITRE ATT&CK] Process Discovery - T1057 Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes (published: October 14, 2021) Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021. Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks. Tags: Interactsh, Exploits	Ransomware Spam Malware Tool Vulnerability Threat Patching Guideline
	2021-10-18 09:00:32	Why Database Patching Best Practice Just Doesn\'t Work and How to Fix It (lien direct)	Patching really, really matters – patching is what keeps technology solutions from becoming like big blocks of Swiss cheese, with endless security vulnerabilities punching hole after hole into critical solutions. But anyone who's spent any amount of time maintaining systems will know that patching is often easier said than done. Yes, in some instances, you can just run a command line to install	Patching
	2021-10-14 11:00:00	Threat Source newsletter (Oct. 14, 2021) (lien direct)	Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers. It's still Cybersecurity Awareness Month, and what better way to celebrate by patching and then patching some more? This week was Microsoft Patch Tuesday, which only included two critical vulnerabilities, but still... [[ This is only the beginning! Please visit the blog for the complete entry ]]	Patching
	2021-10-11 14:30:00	Selecting a Threat Intelligence Platform (TIP) (lien direct)	Do You Need a TIP? Many organizations struggle with managing threat intelligence. There is too much data noise, reliance on manual processes that make it harder to correlate relevant intelligence, and difficulties in producing and distributing actionable reports to the right people. Organizations turn to a Threat Intelligence Platform or TIP to help alleviate some of these problems. A TIP is like a nerve center that pulls raw data and intelligence from multiple sources into a central repository. Using automation, it sifts through and correlates that data to find relevant intelligence through curation, normalization, enrichment, and risk scoring. A TIP can create a feedback loop that integrates with existing security systems by analyzing and sharing relevant, actionable threat intelligence across an organization. Key benefits of a TIP are reducing time to detection, enabling collaboration, and producing actionable information for stakeholders. Top Considerations When Selecting a TIP Stakeholders The search for a TIP should begin with a clear understanding of the audience it will be serving. The most frequent users of a TIP are threat intelligence analysts, SOC analysts, cyber threat hunters, IR analysts, and CISOs, each with different needs and expectations they hope to garner from the TIP. For example, threat intelligence analysts can use the curated information to create adversary dossiers, while CISOs can execute on strategic goals and keep costs down through time saved by automation. Collaboration Collaboration and threat intelligence sharing between groups is a core benefit of a TIP. In selecting a TIP, it is fundamental to understand organizational structure and how communications flow. Different teams should be able to share knowledge from anywhere at any time and with the ability to integrate the TIP into existing security systems. Choose your TIP based on the collaboration you require. Another factor in collaboration is the reporting capabilities of a TIP. Complete reports will be automated, including real-time alerts and summaries customized for different stakeholders and your specific industry. Data Aggregation and Curation within Context The ability of a TIP to ingest customized imports of data from internal and external sources is at the heart of its functionality. The flexibility of setting up customized data imports while also automatically pulling information from vendors or trusted third parties empowers security analysts to be more efficient. They will also have the ability to parse and index both structured (e.g., STIX/TAXII) and unstructured data (e.g., blogs, whitepapers, etc.). Another critical function of a TIP is curating the information it takes in. Optimizing curated data is vital when clarifying the context within your platform. Malicious actors that directly affect your industry and organization will get targeted using the intelligence produced by your TIP. Therefore, how you import vendor data and modify it to your organization’s specific needs is critical. Machine learning algorithms should sort the information and weigh the individual indicators of compromise (IoCs) based on context and user-defined scoring and relevance. Vulnerabilities native to the organization are the other side of the context equation. A TIP needs to match high-scoring IoCs with "crown jewels" and other essential assets. Patching is utilized to protect the most critical infrastructure. Determining the vulnerability context upfront will help determine the feedback loop that a TIP needs to facilitate. Deployment	Vulnerability Threat Patching
	2021-10-07 17:43:00	Patching Too Tortuous for IT Pros (lien direct)	IT security professionals find patching too time consuming and complicated	Patching
	2021-10-04 18:15:09	CVE-2021-41099 (lien direct)	Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the underlying string library can be used to corrupt the heap and potentially result with denial of service or remote code execution. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted network payloads or commands. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.	Vulnerability Patching		★★★
	2021-10-04 18:15:08	CVE-2021-32628 (lien direct)	Redis is an open source, in-memory database that persists on disk. An integer overflow bug in the ziplist data structure used by all versions of Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves modifying the default ziplist configuration parameters (hash-max-ziplist-entries, hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value) to a very large value, and then constructing specially crafted commands to create very large ziplists. The problem is fixed in Redis versions 6.2.6, 6.0.16, 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the above configuration parameters. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.	Vulnerability Patching
	2021-10-04 18:15:08	CVE-2021-32687 (lien direct)	Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.	Vulnerability Patching
	2021-10-04 18:15:08	CVE-2021-32675 (lien direct)	Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authentication requests, this vulnerability can also be exploited by unauthenticated users. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate this problem without patching the redis-server executable is to block access to prevent unauthenticated users from connecting to Redis. This can be done in different ways: Using network access control tools like firewalls, iptables, security groups, etc. or Enabling TLS and requiring users to authenticate using client side certificates.	Vulnerability Patching
	2021-10-04 18:15:08	CVE-2021-32626 (lien direct)	Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.	Patching
	2021-10-04 18:15:08	CVE-2021-32627 (lien direct)	Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.	Vulnerability Patching
	2021-09-30 14:11:13	Telemetry Report Shows Patch Status of High-Profile Vulnerabilities (lien direct)		Patching
	2021-09-27 16:15:09	CVE-2021-36845 (lien direct)	Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities in YITH Maintenance Mode (WordPress plugin) versions	Patching
	2021-09-24 07:13:20	(Déjà vu) Researcher drops three iOS zero-days that Apple refused to fix (lien direct)	Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the researcher. [...]	Patching
	2021-09-24 07:13:20	Exploit code released for three iOS 0-days that Apple failed to patch (lien direct)	Proof-of-concept exploit code for three iOS zero-day vulnerabilities (and a fourth one patched in July) was published on GitHub after Apple delayed patching and failed to credit the researcher. [...]	Patching
	2021-09-24 03:51:21	Check: that Republican audit of Maricopa (lien direct)	Author: Robert Graham (@erratarob)Later today (Friday, September 24, 2021), Republican auditors release their final report on the found with elections in Maricopa county. Draft copies have circulated online. In this blogpost, I write up my comments on the cybersecurity portions of their draft.https://arizonaagenda.substack.com/p/we-got-the-senate-audit-reportThe three main problems are:They misapply cybersecurity principles that are meaningful for normal networks, but which don't really apply to the air gapped networks we see here.They make some errors about technology, especially networking.They are overstretching themselves to find dirt, claiming the things they don't understand are evidence of something bad.In the parts below, I pick apart individual pieces from that document to demonstrate these criticisms. I focus on section 7, the cybersecurity section, and ignore the other parts of the document, where others are more qualified than I to opine.In short, when corrected, section 7 is nearly empty of any content.7.5.2.1.1 Software and Patch Management, part 1They claim Dominion is defective at one of the best-known cyber-security issues: applying patches.It's not true. The systems are “air gapped”, disconnected from the typical sort of threat that exploits unpatched systems. The primary security of the system is physical.This is standard in other industries with hard reliability constraints, like industrial or medical. Patches in those systems can destabilize systems and kill people, so these industries are risk averse. They prefer to mitigate the threat in other ways, such as with firewalls and air gaps.Yes, this approach is controversial. There are some in the cybersecurity community who use lack of patches as a bludgeon with which to bully any who don't apply every patch immediately. But this is because patching is more a political issue than a technical one. In the real, non-political world we live in, most things don't get immediately patched all the time.7.5.2.1.1 Software and Patch Management, part 2They claim new software executables were applied to the system, despite the rules against new software being applied. This isn't necessarily true.There are many reasons why Windows may create new software executables even when no new software is added. One reason is “Features on Demand” or FOD. You'll see new executables appear in C:\Windows\WinSxS for these. Another reason is their .NET language, which causes binary x86 executables to be created from bytecode. You'll see this in the C:\Windows\assembly directory.The auditors simply counted the number of new executables, with no indication which category they fell in. Maybe they are right, maybe new software was installed or old software updated. It's just that their mere counting of executable files doesn't show understanding of these differences.7.5.2.1.2 Log ManagementThe auditors claim that a central log management system should be used.This obviously wouldn't apply to “air gapped” systems, because it would need a connection to an external network.Dominion already designates their EMSERVER as the central log repository for their little air gapped network. Important files from C: are copied to D:, a RAID10 drive. This is a perfectly adequate solution, adding yet another computer to their little network would be overkill, and add as many security problems as it solved.One could argue more Windows logs need to be preserved, but that would simply mean archiving the from the C: drive onto the D: drive, not that you need to connect to the Internet to centrally log files.7.5.2.1.3 Credential ManagementLike the other sections, this claim is out of place	Threat Patching
	2021-09-23 04:16:28	Why You Should Consider QEMU Live Patching (lien direct)	Sysadmins know what the risks are of running unpatched services. Given the choice, and unlimited resources, most hardworking administrators will ensure that all systems and services are patched consistently. But things are rarely that simple. Technical resources are limited, and patching can often be more complicated than it appears at first glance. Worse, some services are so hidden in the	Patching
	2021-09-22 16:17:33	VMware Warns of Ransomware-Friendly Bug in vCenter Server (lien direct)	VMware urged immediate patching of the max-severity, arbitrary file upload flaw in Analytics service, which affects all appliances running default 6.5, 6.7 and 7.0 installs.	Patching
	2021-09-14 11:00:02	Close to half of on-prem databases contain vulnerabilities, with many critical flaws (lien direct)	The Microsoft Exchange attack wave revealed the risks, but patching isn't always straightforward.	Patching		★★★
	2021-09-10 08:25:31	2003 Testimony to Congress Proves That We Still Have a Long Way to Go In Building Secure Software (lien direct)	Back in May 1998, as a member of the hacker think tank, L0pht, I testified under my hacker name, Weld Pond, in front of a U.S. Senate committee investigating government cybersecurity. It was a novel event. Hackers, testifying under their hacker names, telling the U.S. government how the world of cybersecurity really was from those down in the computer underground trenches. Many in the security community know of the famous L0pht Senate testimony, but very few know that one of the L0pht members testified on Capitol Hill 5 years later. That member was me. This time I testified as a cybersecurity professional using my real name. I was the director of research and development at @stake, an information security consulting company. Back in the summer of 2003, the internet was plagued with worms such as Blaster and Sobig. The U.S. House of Representatives Committee on Government Reform wanted to hold hearings to understand the problem. Why had 400,000 computers been infected with Blaster in less than five days when the patch that would have prevented the attack had been available for over a month? I was asked to testify to help the committee understand vulnerability research. How were the vulnerabilities discovered that lead to worms like Blaster, and why were these latent vulnerabilities there in the first place? The problems I spoke of in 2003, sadly, are still here with us 18 years later. Large amounts of software are still not designed defensively… and not built with security testing embedded in the development process. The economics of software development still leads to the reuse of old insecure software. Computer users still loath updating to new, more secure versions of software due to costs and resources required. I discussed how the root cause of viruses and worms was security flaws in the design or implementation of software. I still believe this today (even though most vulnerabilities are not “wormable” or attackers choose to attack with more precision). I discussed the problems with a ship-it-vulnerable, patch-it-later approach. Even now with some products using auto-updating, patching is often late or doesn't happen at all due to the resources required to patch in an enterprise IT environment. Most of what I spoke of was the world of vulnerability research. Who were the people – like the researchers from the Last Stage of Delirium – that discovered the Blaster vulnerability? Why would they do this? How did they do this? How is it possible that they found a security bug when the vendor didn't? Then I spoke about the safe vulnerability disclosure process: How researchers could work with vendors to keep the internet safer despite vulnerable software everywhere. This type of process is now widely followed by researchers and vendors and is codified into an ISO standard. We have made progress on the challenge of building software more securely, distributing patches better, and handling vulnerability disclosure better. But the gains are far less substantial than they should be after 18 years. In my 2003 testimony, I said, “The current flawed computing infrastructure is not going to change for the better overnight. It will take many years of hard work.” We are still in the “many years” phase and perhaps will be for another decade. Take a look at my 2003 testimony and see for yourself just how far we still need to go.	Vulnerability Patching Guideline
	2021-09-03 15:15:09	CVE-2021-39192 (lien direct)	Ghost is a Node.js content management system. An error in the implementation of the limits service between versions 4.0.0 and 4.9.4 allows all authenticated users (including contributors) to view admin-level API keys via the integrations API endpoint, leading to a privilege escalation vulnerability. This issue is patched in Ghost version 4.10.0. As a workaround, disable all non-Administrator accounts to prevent API access. It is highly recommended to regenerate all API keys after patching or applying the workaround.	Patching Guideline
	2021-08-26 09:00:00	Protecting critical infrastructure: Mapping and patching CVEs is not enough for robust defense (lien direct)	Mapping and patching common vulnerabilities and exposure (CVEs) is not enough to achieve truly robust defense. This blog discusses the limits of vulnerability tracking and how self-learning technology can help achieve the goals of Bidenâs National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems.	Vulnerability Patching

Last update at: 2024-05-09 11:07:58
See our sources.

To see everything: Our RSS (filtrered)