SEC News

What's new arround internet

Last one

Src	Date (GMT)	Titre	Description	Tags	Stories	Notes
	2019-08-23 11:23:05	Asruex Trojan exploits old Office, Adobe bugs to backdoor your system (lien direct)	The malware's selection of old vulnerabilities highlights a patching issue worldwide.	Patching
	2019-08-14 04:57:00	BlueKeep Patching Efforts Sink: 750,000 Systems Still Vulnerable (lien direct)	More than 750,000 systems remain vulnerable to the BlueKeep vulnerability as patching rate has decreased by around 85%, a new report from security firm BitSight reveals.	Vulnerability Patching
	2019-08-07 14:23:02	Businesses need to patch for BlueKeep to avoid another WannaCry (lien direct)	BitSight is sounding an alarm over the potential for patching to taper off, leaving legacy systems at risk for the potentially potent vulnerability.	Patching	Wannacry
	2019-07-29 15:00:00	Urgent11 security flaws impact routers, printers, SCADA, and many IoT devices (lien direct)	Security updates are out, but patching will most likely take months, if not years.	Patching
	2019-07-17 22:31:00	Gigabyte and Lenovo servers impacted by common BMC firmware flaws (lien direct)	Two different bugs, EOLs, and a complex supply chain make patching a nightmare.	Patching
	2019-07-17 18:53:04	BlueKeep patching isn\'t progressing fast enough (lien direct)	>Keeping up with BlueKeep; or how many internet-facing systems, and in which countries and industries, remain ripe for exploitation?	Patching
	2019-07-01 13:00:00	Linux Servers Under Worm Attack Via Exim Flaw \| AT&T ThreatTraq (lien direct)	Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Michael Stair, Lead Member of Technical Staff, AT&T, Matt Keyser, Principal Member of Technical Staff, and Manny Ortiz, Director Technology Security, AT&T. Michael: A flaw in Exim is leaving millions of Linux servers vulnerable. Matt: Hey, Mike. I heard there was a pretty serious flaw affecting Exim email servers. What can you tell us about it? Michael: Yes, attackers are exploiting a pretty critical flaw in the popular Linux Exim mail transport agents, MTA, allowing for remote command execution. Exim is an SMTP mail relay. It's pretty popular, and runs a large percentage of internet mail servers. It's the default MTA on some Linux systems. From a recent Shodan scan, it could affect up to three-and-a-half million vulnerable servers. The bug itself was tracked it down to improper validation in some of the recipient addresses. One of the functions was given a 9.8 out of 10 on the CVSS v3 scale. It affects versions 4.87 to 4.98, but I think the latest version 4.92 is unaffected. Matt: So it's a big bug. And it is a remote code execution (RCE) bug, which is one of the most critical types you could possibly have. Michael: They do have patches out. They're porting patches to all versions, back to 4.87, if you're using an older version. So just make sure you're patching and making sure you're up to date with the most recent version because it's a pretty serious issue. Matt: It sounds like it's something you could just address the email to somebody and you just drop an exploit in there and it's remote code execution? Michael: Yeah, it seems like it's pretty simple to exploit. And there’s actually worm that's exploiting this and finding new systems. Matt: Wow. Manny: From what I understand, you can actually put a command that eventually the server will run, but from what I understand, the server may take seven days before it actually activates the exploit. It appears there's some sort of timeout that happens after seven days when the email is determined to have an invalid mail address, and then the server runs the actual command. Michael: Right. Matt: But that means I could hand-type the exploit code. Is that roughly correct or is it something you'd have to craft or a little more difficult to do? Manny: Right. The example I saw was just a simple command where it went and did a get to an actual external IP address. Matt: So you're getting a shell. Manny: Yes. Or you can have the box basically go run some code offline or off net, so it basically gives you an open command line to run whatever you want on the box. Matt: So it's totally possible that your box has been exploited and you won't know for seven days? Manny: Exactly. Michael: Exactly. Matt: That's a scary thought, right? Manny: The sky is the limit when it comes to a bad actor that wants to take advantage of this vulnerability. They can come up with anything they want to. If they want to mine cryptocurrency, they can. If they want to set the server up to do DDoS attacks, they can. I think, Mike, you said that there is a patch f	Patching Guideline		★★★
	2019-06-21 12:34:05	BlueKeep Warnings Pay Off, Boost Patching in Enterprise Networks (lien direct)	The multiple warnings about patching Windows systems against the BlueKeep vulnerability (CVE-2019-0708) have not gone unheeded. Administrators of enterprise networks listened and updated most of the machines affected by the issue. [...]	Vulnerability Patching
	2019-06-21 02:11:04	Firefox 67.0.4 Released - Mozilla Patches Second 0-Day Flaw This Week (lien direct)	Okay, folks, it's time to update your Firefox web browser once again-yes, for the second time this week. After patching a critical actively-exploited vulnerability in Firefox 67.0.3 earlier this week, Mozilla is now warning millions of its users about a second zero-day vulnerability that attackers have been found exploiting in the wild. The newly patched issue (CVE-2019-11708) is a "sandbox	Vulnerability Patching
	2019-06-20 19:00:04	Mozilla fixes second Firefox zero-day exploited in the wild (lien direct)	Two days after patching the first zero-day, Mozilla fixes a second one, used in the same attacks as the first.	Patching
	2019-05-31 11:31:03	Microsoft issues second warning about patching BlueKeep as PoC code goes public (lien direct)	Time's running out on patching older systems against the BlueKeep vulnerability.	Patching
	2019-05-28 06:20:06	Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) (lien direct)	Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.To scan the Internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It's a thousand times slower, but it's only scanning the results from masscan instead of the entire Internet.The table of results is as follows:1447579 UNKNOWN - receive timeout1414793 SAFE - Target appears patched1294719 UNKNOWN - connection reset by peer1235448 SAFE - CredSSP/NLA required 923671 VULNERABLE -- got appid 651545 UNKNOWN - FIN received 438480 UNKNOWN - connect timeout 105721 UNKNOWN - connect failed 9 82836 SAFE - not RDP but HTTP 24833 UNKNOWN - connection reset on connect 3098 UNKNOWN - network error 2576 UNKNOWN - connection terminatedThe various UNKNOWN things fail for various reasons. A lot of them are because the protocol isn't actually Remote Desktop and respond weirdly when we try to talk Remote Desktop. A lot of others are Windows machines, sometimes vulnerable and sometimes not, but for some reason return errors sometimes.The important results are those marked VULNERABLE. There are 923,671 vulnerable machines in this result. That means we've confirmed the vulnerability really does exist, though it's possible a small number of these are "honeypots" deliberately pretending to be vulnerable in order to monitor hacker activity on the Internet.The next result are those marked SAFE due to probably being "pached". Actually, it doesn't necessarily mean they are patched Windows boxes. They could instead be non-Windows systems that appear the same as patched Windows boxes. But either way, they are safe from this vulnerability. There are 1,414,793 of them.The next result to look at are those marked SAFE due to CredSSP/NLA failures, of which there are 1,235,448. This doesn't mean they are patched, but only that we can't exploit them. They require "network level authentication" first before we can talk Remote Desktop to them. That means we can't test whether they are patched or vulnerable -- but neither can the hackers. They may still be exploitable via an insider threat who knows a valid username/password, but they aren't exploitable by anonymous hackers or worms.The next category is marked as SAFE because they aren't Remote Desktop at all, but HTTP servers. In other words, in response to o	Ransomware Vulnerability Threat Patching Guideline	NotPetya Wannacry
	2019-05-27 19:59:38	A lesson in journalism vs. cybersecurity (lien direct)	A recent NYTimes article blaming the NSA for a ransomware attack on Baltimore is typical bad journalism. It's an op-ed masquerading as a news article. It cites many to support the conclusion the NSA is to be blamed, but only a single quote, from the NSA director, from the opposing side. Yet many experts oppose this conclusion, such as @dave_maynor, @beauwoods, @daveaitel, @riskybusiness, @shpantzer, @todb, @hrbrmst, ... It's not as if these people are hard to find, it's that the story's authors didn't look.The main reason experts disagree is that the NSA's Eternalblue isn't actually responsible for most ransomware infections. It's almost never used to start the initial infection -- that's almost always phishing or website vulns. Once inside, it's almost never used to spread laterally -- that's almost always done with windows networking and stolen credentials. Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn't mean Eternalblue is responsible for ransomware.The NYTimes story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other. A good example is this paragraph:That link is a warning from last July about the "Emotet" ransomware and makes no mention of EternalBlue. Instead, the story is citing anonymous researchers claiming that EthernalBlue has been added to Emotet since after that DHS warning.Who are these anonymous researchers? The NYTimes article doesn't say. This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible.And in this case, it's probably false. The likely source for that claim is this article from Malwarebytes about Emotet. They have since retracted this claim, as the latest version of their article points out.In any event, the NYTimes article claims that Emotet is now "relying" on the NSA's EternalBlue to spread. That's not the same thing as "using", not even close. Yes, lots of ransomware has been updated to also use Eternalblue to spread. However, what ransomware is relying upon is still the Wind	Ransomware Malware Patching Guideline	NotPetya Wannacry
	2019-05-16 23:13:01	Microsoft Warns Against Critical, WannaCry-like Flaw (lien direct)	Microsoft's announcement urging users of older versions of Windows to apply a patch to protect against a potential widespread WannaCry-like attack. Two years on from the WannaCry attack, which affected computers in over 70 countries, Tanium's recent research showed that organisations are still struggling with patching hygiene, leaving their critical assets exposed. This vulnerability is so bad that #Microsoft … The ISBuzz Post: This Post Microsoft Warns Against Critical, WannaCry-like Flaw	Vulnerability Patching	Wannacry
	2019-05-03 15:30:05	DHS Orders Agencies To Patch Critical Vulnerabilities Within 15 Days (lien direct)	It has been reported that the U.S. Department of Homeland Security (DHS) this week issued a new Binding Operational Directive (BOD) instructing federal agencies and departments to act more quickly when it comes to patching serious vulnerabilities in internet-exposed systems. Specifically, BOD 19-02 gives government organisations 15 days to address critical vulnerabilities and 30 days for high-severity flaws. The countdown starts … The ISBuzz Post: This Post DHS Orders Agencies To Patch Critical Vulnerabilities Within 15 Days	Patching
	2019-04-29 03:00:00	How to evaluate SOC-as-a-service providers (lien direct)	If you don't currently have your own security operations center (SOC), you are probably thinking of ways you can obtain one without building it from scratch. The on-premises version can be pricey, more so once you factor in the staffing costs to man it 24/7. In the past few years, managed security service providers (MSSPs) have come up with cloud-based SOCs that they use to monitor your networks and computing infrastructure and provide a wide range of services such as patching and malware remediation. Let's look at how this SOC-as-a-service (SOCaaS) industry has grown up, what they offer and how to pick the right supplier for your particular needs.	Malware Patching
	2019-04-16 13:00:00	Security is Simple as 1, 2, 3 (lien direct)	Keeping an organization’s IT assets secure in this day and age is a challenge. The sands of the information security landscape are constantly shifting, and it can be difficult for practitioners to find solid footing; to identify those initiatives that will net the greatest return on security spend. Each day seems to bring another emerging concern in the threat landscape. The organization itself often seems to work against us, wanting to expand our already too-broad attack surface by embracing new technologies, connecting with partners, or acquiring other businesses entirely. In such a climate it can be easy to allow our attention to be drawn to the expanding edge or our environment and the newest threats to be found there. Advanced Persistent Threats (APT), supply chain risks, and cloud/container platform issues, to name a few, are more recent additions to our list of concerns. And let’s be honest, as technologists we are drawn to the new, the novel, the esoteric – because it is interesting. While there are real risks to be addressed here, they may not represent the greatest area of exposure for your users and information assets or the best ROI. Over the past four years of performing research for monthly threat briefings there are three themes that constantly arise which, if mastered, can greatly reduce the information security risk to the enterprise. These are: Keep systems and software components up to date. This includes regular patching as well as upgrading platforms when they are no longer supported. Two key components of a success patching program are making sure that all devices in the environment are (1) identified and (2) under management. Enforce the principle of least privilege. User accounts, applications, service accounts and network resource permissions must all be taken into account and kept up to date. The use of segmentation and micro-segmentation strategies are an excellent additional layer of control to apply. Constantly train users on security culture and safe computing practices. User training and awareness cannot be limited to phishing emails or social engineering alone. Topics should include physical security related issues (locking doors, desks, and cabinets), challenging strangers for credentials when appropriate, responsible data distribution practices and how to report suspected oversights. Ultimately this must be a paradigm shift; an exercise in building an organizational culture that emphasizes security and the priority of reporting suspected indicators of incidents in a consequence-free climate. Often, the root cause of a security incident can be traced back to failures associated with one or more of these three points rather than some fringe security exposure. Environments are dynamic, and it is unlikely we can ever be certain that we have 100% coverage for any security practice or solution we put in place; especially over time. As a result, when asked by customers what they should be focusing on, I always recommend they consider these practices critical, foundational elements of their security program and work to validate and improve upon the effectiveness of these capabilities on an ongoing basis. The truth is that such core security practices not particularly interesting and focusing on the fringe of the threat landscape is far more appealing. The idea that we are on the front lines, in a fight again	Threat Patching
	2019-04-10 15:30:05	Xiaomi Browsers Still Vulnerable After Failed Patches (lien direct)	It has been reported that Xiaomi browsers are still vulnerable after failed patches. Xiaomi has trouble permanently patching its browsers against a vulnerability that enables spoofing URLs in a way that is difficult to detect by users. The flaw affects the international versions of Mint Browser and Mi, the web browser that comes pre-installed on Xiaomi smartphones. It … The ISBuzz Post: This Post Xiaomi Browsers Still Vulnerable After Failed Patches	Vulnerability Patching
	2019-03-20 13:00:00	Restart BEFORE patching (lien direct)	Most folks who work with servers know the monthly drill: Patches are released by manufacturers -> Patches are tested -> Patches are deployed to Production. What could possibly go wrong? Anyone who has ever experienced the nail-biting joy of patching, and then awaiting a restart, knows exactly what could go wrong. Does anyone remember the really good old days when patches had to be manually staged prior to deployment? For those of you who entered the tech world after Windows NT was retired, consider yourself lucky! If you think about it, most organizations that patch on a monthly basis are considered to have an aggressive patching strategy. As evidenced by the legendary Equifax breach, some organizations take months to apply patches. This is true even when the organization has been forewarned that the patch is a cure for a vulnerability that is being actively exploited, also known as a “Zero-day” vulnerability. Patching is never a flawless operation. There is always one server that just seems to have problems. What is the first response when this happens? Blame the patch, of course! After all, what else could have changed on the server? Plenty, actually. Sometimes, removal of the patch doesn’t fix the problem. I have seen the patch still held responsible for whatever has gone wrong with the server. I am not blindly defending the patch authors, as there have been too many epic blunders in patching for me to exhibit that kind of optimism and not laugh at myself. But what can we do to avoid the patch blame game? The simple solution is to restart the servers before deploying patches. This is definitely an unorthodox approach, but it can certainly reduce troubleshooting time and “patch blame” when something goes wrong. If you restart a server, and it doesn’t restart properly, that indicates that an underlying problem exists prior to any patching concern. This may seems like a waste of time, however, the alternative is usually more time consuming. If you patch a server, and it fails at restart, the first amount of time you will waste is trying to find the offending patch, and then removing the patch. Then, upon the subsequent restart, the machine still fails. Now what? Even if we scale this practice to 1000 servers, the time is still not wasted. If you are confident that your servers can withstand a simple restart, then restart them all. The odds are in your favor that most will restart without any problems. If less than 1% of them fail, then you can address the problems there before falsely chasing the failure as a patch problem. Once all the servers restart normally, then, perform your normal patching, and feel free to blame the patch if the server fails after patching. The same approach could also be applied to workstations in a corporate environment. Since most organizations do not engage automatic workstation patching on the corporate network, a pre-patch restart can be forced on workstations. Patching has come a long way from the early days when the internet was young and no vulnerabilities existed (insert sardonic smile here). The rate of exploits and vulnerabilities have accelerated, requiring more immediate action towards protecting your networks. Since patches are not without flaws, one easy way to rule out patching as the source of a problem is to restart before patching.	Vulnerability Patching	Equifax
	2019-03-12 15:09:01	Unpatched Windows Bug Allows Attackers to Spoof Security Dialog Boxes (lien direct)	Microsoft won't be patching the bug, but a proof of concept shows the potential for successful malware implantation.	Malware Patching
	2019-03-12 14:08:04	25% of software vulnerabilities remain unpatched for more than a year (lien direct)	Smaller organizations are more agile at patching vulnerabilities, and vendor support goes a long way in easing patching, according to a report from Kenna Security and the Cyentia Institute.	Patching
	2019-02-22 14:11:05	WTF PDF: Adobe re-patching its Acrobat, Reader patches. (lien direct)	Plus: How Microsoft Edge helps Facebook Flash files dodge click-to-play rules in Edge. Adobe is taking a second crack at patching security bugs in its Acrobat and Reader PDF apps. The APSB19-13 release, out today, attempts to completely kill off vulnerability CVE-2019-7089, which a software update earlier this month tried to address but was found to have […]	Vulnerability Patching
	2019-02-04 05:52:02	BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy (lien direct)	BDFProxy allows you to patch binaries via MiTM with The Backdoor Factory combined with mitmproxy enabling on the fly patching of binary downloads (software updates for example) from vendors that don't validate data integrity. The Backdoor Factory allows you to patch binaries with shell-code so combining that with mitmproxy, which is a Python proxy-server that can catch HTTP, change traffic on the fly, replay traffic, decode and render primitive data types – gives you BDFProxy. Read the rest of BDFProxy – Patch Binaries via MiTM – BackdoorFactory + mitmproxy now! Only available at Darknet.	Patching
	2019-01-29 14:00:00	Ways to Respond to a Breach (lien direct)	Breaches aren’t easy to deal with, especially if you are of the opinion that companies are people too. Having seen, been part of, and lent a shoulder to many a breach, here are nine of the common ways companies respond to breaches. Delayed response A delayed response is when a breach has occurred and the company is informed a long time after the fact, usually when the data appears on a dark web sharing site. The company sometimes informed by law enforcement, or by reading about it on Brian Krebs’ blog. Complicated response (traumatic or prolonged) A complicated breach becomes severe with time and can impact the entire company. This can be the case when regulators step in to look at a breach. Were you PCI DSS compliant? Well not anymore. Did you have European citizen data? Well say hello to my little GDPR friend. Disenfranchised response Disenfranchised breaches are where the company experiences a loss, but others do not acknowledge the importance or impact. For example, an intellectual property breach that allows a competitor to get ahead is felt by the company, but elicits little, if any sympathy from customers. Cumulative response A cumulative breach is when multiple breaches or incidents are experienced, often within a short period of time. For example, getting locked out of your IoT devices accounts while records are being exfiltrated out of the mainframe during a DDoS attack. A cumulative breach can be particularly stressful because a company doesn’t have time to properly respond to one incident stating how they ‘take security seriously’ before experiencing the next. Distorted response Sometimes a company responds to a breach in extreme and hostile ways. In a manner befitting a toddler, the company may resort to blaming a partner or any other third party company. On occasion the finger of blame is pointed towards an employee or contractor for not patching a system. Or, in some cases, the company will want to set an example and unceremoniously fire the CISO. Inhibited response Also known as “keep this between us” is a conscious decision by a company to keep details of a breach limited to a very small group. Problems can occur if customers or regulators get wind of it, and can cause bigger issues down the road. By then, the only viable option for companies is to shred the documents, wipe the hard drives, and research countries with non-extradition treaties. Collective response Collective breach is felt by a wider group, and the impact is shared. It can be a useful tactic in bringing all people on the same side and put their differences aside. When everyone is forced to change their passwords after a breach, it gives common ground for them to share the pain. Absent response A favourite of social media giants, absent response is when a company doesn’t acknowledge or show signs of any response. This can be as a result of shock, denial, or simply passing everything onto business as usual. It’s important to note that in some instances, just because you can’t see the signs of a response, it doesn’t necessarily mean that a company isn’t taking responsive actions. Or it could just mean they don’t care, it can be hard to tell. Anticipatory response Remember all those posters telling you ‘it’s not a matter of	Patching
	2019-01-22 12:16:02	Companies Can Safely Delay Patching The Majority Of Their Vulnerabilities, Kenna Security Report Finds (lien direct)	Research conducted by Kenna Security and Cyentia Institute demonstrates companies can be smarter and more efficient in their security efforts “In our ongoing mission to apply the tenets of data science to cybersecurity, we have begun to benchmark the realities of vulnerability remediation strategies. We've found that remediating the riskiest vulnerabilities is within reach for … The ISBuzz Post: This Post Companies Can Safely Delay Patching The Majority Of Their Vulnerabilities, Kenna Security Report Finds	Vulnerability Patching
	2019-01-08 18:40:02	SAP Security Notes January \'19: First Critical Note for SAP Cloud Connector and Mobile Patching (lien direct)	Our monthly report on how to improve your SAP security and take care of your most critical information by exploring the latest SAP Security Notes for January 2019. SAP Security Notes, SAP, sap erp, information security SAP Security Notes Raul Batista, Sebastian Bortnik01/08/2019	Patching
	2018-12-19 23:46:03	Its the most wonderful time of the year – Patching (lien direct)	>Remember back when Summer and Christmas break was a high time of concern. The kids were out of college and ready to try out their skills. Christmas was worse because so many people were out of the office, no one would notice. Or if they did the response would be limited. Now that’s what we ... Continue reading ‘Its the most wonderful time of the year – Patching’ »	Patching
	2018-10-31 14:54:00	BrandPost: The Patching Paradox (lien direct)	A new global survey by Ponemon and ServiceNow of nearly 3,000 cybersecurity professionals reveals that more than half the companies have experienced a breach in the past year.In this session Bob Bragdon, Senior Vice President and Publisher of CSO, and Cliff Huntington, head of global sales for governance, risk, and compliance at ServiceNow, explore how high-performing security teams prevent breaches and what other teams can do to emulate their success.One particular area deserves a close look: unpatched enterprise software. The survey revealed that a majority of cyber-attack victims say their breaches could have been prevented by installing patches – and the survey also found that organizations can reduce their breach risk by 20% by scanning.	Patching
	2018-10-24 13:00:00	The Importance of Patch Management (lien direct)	With each passing year, our world becomes more and more digital. Our social interactions and personal data as well as many of our jobs are based primarily on the internet. Although this shift has come with great benefits, it’s also opened us up to a heightened threat of cyber terrorism. 2017 saw some of the most devastating high-profile attacks in history, opening the eyes of business of all sizes to the importance of stronger security. With no end to cybercrime in sight, the best defense is to be better prepared. There are various practices that can be applied to achieve this, and implementing a patch management system is one of them. In its most basic sense, patching is the process of repairing IT system vulnerabilities that are discovered after the infrastructure components have been released on the market. These patches can apply to a variety of system components, including operating systems, servers, routers, desktops, emails, client info, office suites, mobile devices, firewalls and more. Depending on a company’s information system design, the method of patch management may differ slightly. Failure to follow adequate patch management procedures greatly increases the risk of falling victim to a devastating attack. In the second quarter of 2017, we saw a global ransomware hack the systems of over 150 countries and hundreds of organizations all as a result of poor patch management. These unattended vulnerabilities in IT infrastructure open companies up to numerous security challenges, the top five being: Absence of proper coordination of security measures taken by the operations department and the IT department. Inability to keep up with regulatory standards. Failure to develop an automated security channel. Inability to protect systems from malware, DDoS attacks and hacktivism. Failure to upgrade the existing software and applications to improve the system security. Outsourced patch management For many companies, the reason behind their failure to properly patch vulnerabilities is the simple fact that it’s difficult. The process is time-consuming and, depending on the size of a company, there could be numerous vulnerabilities opening simultaneously. Outsourcing patch management to a more qualified company can relieve IT teams of that immense burden and prevent potentially fatal neglect. Additionally, outsourced IT companies have the advantage of economies of scale and can spend the necessary time required for testing updates before updating client systems. Automated patch management Automation is a trending feature in technology this year, including patch management. With this method, a cloud-based automation system is able to regularly scan and apply patches to software and systems of any kind regardless of location. This reduces the need for ongoing management of the patching system itself, meaning even the most limited IT teams can stay up-to-date with security. Furthermore, as automation allows for patches to be applied 24/7, the downloading and installation processes won't disrupt a work day, and the potential for human error while installing patches is removed. Whichever route you choose, the importance of the matter stays the same. While hackers have made it clear they don’t discriminate against company size or industry, preventive measures are necessary for everyone. With a strong patch management system in place, the occurrence of a vulnerability can be immediately rectified by way of consistent monitoring of the system and a patch released	Ransomware Hack Vulnerability Threat Patching Guideline
	2018-10-19 01:41:04	Zero-day in popular jQuery plugin actively exploited for at least three years (lien direct)	A fix is out but the plugin is used in hundreds, if not thousands, of projects. Patching will take ages!	Patching
	2018-10-15 06:42:00	A Russian cyber vigilante is patching outdated MikroTik routers exposed online (lien direct)	A Russian-speaking hacker, who goes by the name of Alexey, claims to have hacked into over 100,000 MikroTik routers with a specific intent, disinfect them. Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic. The campaign started in Brazil, but it rapidly expanded to […]	Patching
	2018-10-12 13:04:04	A mysterious grey-hat is patching people\'s outdated MikroTik routers (lien direct)	Internet vigilante claims he patched over 100,000 MikroTik routers already.	Patching
	2018-10-05 21:23:02	Sony Smart TV Bug Allows Remote Access, Root Privileges (lien direct)	Software patching becomes a new reality for smart TV owners.	Patching
	2018-09-19 16:29:01	Patching Not Enough; Organizations Must Adopt Zero-Trust Practices: Report (lien direct)	Hackers Can Gain Network Access Via Social Engineering and Wait for New Zero-Day Exploits to Elevate Their Privilege	Patching
	2018-09-11 11:36:02	Microsoft Issues Software Updates for 17 Critical Vulnerabilities (lien direct)	Times to gear up your systems and software. Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for September 2018, patching a total of 61 security vulnerabilities, 17 of which are rated as critical, 43 are rated Important, and one Moderate in severity. This month's security updates patch vulnerabilities in Microsoft Windows, Edge, Internet Explorer, MS Office,	Patching
	2018-09-10 17:33:17	California\'s bad IoT law (lien direct)	California has passed an IoT security bill, awaiting the government's signature/veto. It's a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.We don't want arbitrary features like firewall and anti-virus added to these products. It'll just increase the attack surface making things worse. The one possible exception to this is “patchability”: some IoT devices can't be patched, and that is a problem. But even here, it's complicated. Even if IoT devices are patchable in theory there is no guarantee vendors will supply such patches, or worse, that users will apply them. Users overwhelmingly forget about devices once they are installed. These devices aren't like phones/laptops which notify users about patching.You might think a good solution to this is automated patching, but only if you ignore history. Many rate “NotPetya” as the worst, most costly, cyberattack ever. That was launched by subverting an automated patch. Most IoT devices exist behind firewalls, and are thus very difficult to hack. Automated patching gets beyond firewalls; it makes it much more likely mass infections will result from hackers targeting the vendor. The Mirai worm infected fewer than 200,000 devices. A hack of a tiny IoT vendor can gain control of more devices than that in one fell swoop.The bill does target one insecure feature that should be removed: hardcoded passwords. But they get the language wrong. A device doesn't have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like Telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces. Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn't mean it doesn't also have a bug in Telnet.That was the problem with devices infected by Mirai. The description that these were hardcoded passwords is only a superficial understanding of the problem. The real problem was that there were different authentication systems in the web interface and in other services like Telnet. Most of the devices vulnerable to Mirai did the right thing on the web interfaces (meeting the language of this law) requiring the user to create new passwords before operating. They just did the wrong thing elsewhere.People aren't really paying attention to what happened with Mirai. They look at the 20 billion new IoT devices that are going to be connected to the Internet by 2020 and believe Mirai is just the tip of the iceberg. But it isn't. The IPv4 Internet has only 4 billion addresses, which are pretty much already used up. This means those 20 billion won't be exposed to the public Internet like Mirai devices, but hidden behind firewalls that translate addresses. Thus, rather than Mirai presaging the future, it represents the last gasp of the past that is unlikely to come again.This law is backwards looking rather than forward looking. Forward looking, by far the most important t	Hack Threat Patching Guideline	NotPetya Tesla
	2018-08-28 03:06:03	Podcast Episode 110: Why Patching Struts isn\'t Enough and Hacking Electricity Demand with IoT? (lien direct)	In this week's episode (#110): the second major flaw in Apache Struts 2 in as many years and has put the information security community on alert. But is this vulnerability as serious as the last, which resulted in the hack of the firm Equifax? We talk with an expert from the firm Synopsys. And: we've heard a lot about the risk of cyber...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/566525656/0/thesecurityledger -->»	Hack Vulnerability Patching	Equifax
	2018-08-23 20:22:03	Experts Urge Rapid Patching of \'Struts\' Bug (lien direct)	In September 2017, Equifax disclosed that a failure to patch one of its Internet servers against a pervasive software flaw -- in a Web component known as Apache Struts -- led to a breach that exposed personal data on 147 million Americans. Now security experts are warning that blueprints showing malicious hackers how to exploit a newly-discovered Apache Struts bug are available online, leaving countless organizations in a rush to apply new updates and plug the security hole before attackers can use it to wriggle inside.	Patching	Equifax
	2018-08-14 11:36:00	Microsoft Releases Patches for 60 Flaws-Two Under Active Attack (lien direct)	Get your update caps on. Just a few minutes ago Microsoft released its latest monthly Patch Tuesday update for August 2018, patching a total of 60 vulnerabilities, of which 19 are rated as critical. The updates patch flaws in Microsoft Windows, Edge Browser, Internet Explorer, Office, ChakraCore, .NET Framework, Exchange Server, Microsoft SQL Server and Visual Studio. Two of these	Patching		★★★★★
	2018-08-08 13:28:00	Chip maker TSMC will lose millions for not patching its computers (lien direct)	Taiwanese chip-making giant Taiwan Semiconductor Manufacturing Co. (TSMC), whose customers include Apple, Nvidia, AMD, Qualcomm, and Broadcom, was hit with a WannaCry infection last weekend that knocked out production for a few days and will cost the firm millions of dollars.Most chip companies are fabless, meaning they don't make their own chips. It's a massively expensive process, as Intel has learned. Most, like the aforementioned firms, simply design the chips and farm out the manufacturing process, and TSMC is by far the biggest player in that field.CEO C.C. Wei told Bloomberg that TSMC wasn't targeted by a hacker; it was an infected production tool provided by an unidentified vendor that was brought into the company. The company is overhauling its procedures after encountering a virus more complex than initially thought, he said.	Tool Patching	Wannacry
	2018-08-07 23:18:45	What the Caesars (@DefCon) WiFi situation looks like (lien direct)	So I took a survey of WiFi at Caesar's Palace and thought I'd write up some results.When we go to DEF CON in Vegas, hundreds of us bring our WiFi tools to look at the world. Actually, no special hardware is necessary, as modern laptops/phones have WiFi built-in, while the operating system (Windows, macOS, Linux) enables “monitor mode”. Software is widely available and free. We still love our specialized WiFi dongles and directional antennas, but they aren't really needed anymore.It's also legal, as long as you are just grabbing header information and broadcasts. Which is about all that's useful anymore as encryption has become the norm -- we can pretty much only see what we are allowed to see. The days of grabbing somebody's session-cookie and hijacking their web email are long gone (though the was a fun period). There are still a few targets around if you want to WiFi hack, but most are gone.So naturally I wanted to do a survey of what Caesar's Palace has for WiFi during the DEF CON hacker conference located there.Here is a list of access-points (on channel 1 only) sorted by popularity, the number of stations using them. These have mind-blowing high numbers in the ~3000 range for “CAESARS”. I think something is wrong with the data.I click on the first one to drill down, and I find a source of the problem. I'm seeing only “Data Out” packets from these devices, not “Data In”.These are almost entirely ARP packets from devices, associated with other access-points, not actually associated with this access-point. The hotel has bridged (via Ethernet) all the access-points together. We can see this in the raw ARP packets, such as the one shown below:WiFi packets have three MAC addresses, the source and destination (as expected) and also the address of the access-point involved. The access point is the actual transmitter, but it's bridging the packet from some other location on the local Ethernet network.Apparently, CAESARS dumps all the guests into the address range 10.10.x.x, all going out through the router 10.10.0.1. We can see this from the ARP traffic, as everyone seems to be ARPing that router.I'm probably seeing all the devices on the CAESARS WiFi. In ot	Patching
	2018-08-01 16:46:02	An Open Letter to Microsoft About Poor Windows 10 Update Experiences (lien direct)	Susan Bradley, an 18 year Microsoft MVP focused on Windows patching and patch management, has sent an open letter to Microsoft executives Satya Nadella, Carlos Picoto, and Scott Guthrie about the frustration Windows 10 users have when dealing with installing new updates. [...]	Patching
	2018-07-12 19:54:20	Your IoT security concerns are stupid (lien direct)	Lots of government people are focused on IoT security, such as this recent effort. They are usually wrong. It's a typical cybersecurity policy effort which knows the answer without paying attention to the question.Patching has little to do with IoT security. For one thing, consumers will not patch vulns, because unlike your phone/laptop computer which is all "in your face", IoT devices, once installed, are quickly forgotten. For another thing, the average lifespan of a device on your network is at least twice the duration of support from the vendor making patches available.Naive solutions to the manual patching problem, like forcing autoupdates from vendors, increase rather than decrease the danger. Manual patches that don't get applied cause a small, but manageable constant hacking problem. Automatic patching causes rarer, but more catastrophic events when hackers hack the vendor and push out a bad patch. People are afraid of Mirai, a comparatively minor event that led to a quick cleansing of vulnerable devices from the Internet. They should be more afraid of notPetya, the most catastrophic event yet on the Internet that was launched by subverting an automated patch of accounting software.Vulns aren't even the problem. Mirai didn't happen because of accidental bugs, but because of conscious design decisions. Security cameras have unique requirements of being exposed to the Internet and needing a remote factory reset, leading to the worm. While notPetya did exploit a Microsoft vuln, it's primary vector of spreading (after the subverted update) was via misconfigured Windows networking, not that vuln. In other words, while Mirai and notPetya are the most important events people cite supporting their vuln/patching policy, neither was really about vuln/patching.Such technical analysis of events like Mirai and notPetya are ignored. Policymakers are only cherrypicking the superficial conclusions supporting their goals. They assiduously ignore in-depth analysis of such things because it inevitably fails to support their positions, or directly contradicts them.IoT security is going to be solved regardless of what government does. All this policy talk is premised on things being static unless government takes action. This is wrong. Government is still waffling on its response to Mirai, but the market quickly adapted. Those off-brand, poorly engineered security cameras you buy for $19 from Amazon.com shipped directly from Shenzen now look very different, having less Internet exposure, than the ones used in Mirai. Major Internet sites like Twitter now use multiple DNS providers so that a DDoS attack on one won't take down their services.In addition, technology is fundamentally changing. Mirai attacked IPv4 addresses outside the firewall. The 100-billion IoT devices going on the network in the next decade will not work this way, cannot work this way, because there are only 4-billion IPv4 addresses. Instead, they'll be behind NATs or accessed via IPv6, both of which prevent Mirai-style worms from functioning. Your fridge and toaster won't connect via your home WiFi anyway, but via a 5G chip unrelated to your home.Lastly, focusing on the ven	Hack Patching Guideline	NotPetya
	2018-06-27 15:49:15	Lessons from nPetya one year later (lien direct)	This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons.An example is this quote in a recent article:"One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen.But this is wrong, at least in the case of NotPetya.NotPetya's spread was initiated through the Ukraining company MeDoc, which provided tax accounting software. It had an auto-update process for keeping its software up-to-date. This was subverted in order to deliver the initial NotPetya infection. Patching had nothing to do with this. Other common security controls like firewalls were also bypassed.Auto-updates and cloud-management of software and IoT devices is becoming the norm. This creates a danger for such "supply chain" attacks, where the supplier of the product gets compromised, spreading an infection to all their customers. The lesson organizations need to learn about this is how such infections can be contained. One way is to firewall such products away from the core network. Another solution is port-isolation/microsegmentation, that limits the spread after an initial infection.Once NotPetya got into an organization, it spread laterally. The chief way it did this was through Mimikatz/PsExec, reusing Windows credentials. It stole whatever login information it could get from the infected machine and used it to try to log on to other Windows machines. If it got lucky getting domain administrator credentials, it then spread to the entire Windows domain. This was the primary method of spreading, not the unpatched ETERNALBLUE vulnerability. This is why it was so devastating to companies like Maersk: it wasn't a matter of a few unpatched systems getting infected, it was a matter of losing entire domains, including the backup systems.Such spreading through Windows credentials continues to plague organizations. A good example is the recent ransomware infection of the City of Atlanta that spread much the same way. The limits of the worm were the limits of domain trust relationships. For example, it didn't infect the city airport because that Windows domain is separate from the city's domains.This is the most pressing lesson organizations need to learn, the one they are ignoring. They need to do more to prevent desktops from infecting each other, such as through port-isolation/microsegmentation. They need to control the spread of administrative credentials within the organization. A lot of organizations put the same local admin account on every workstation which makes the spread of NotPetya style worms trivial. They need to reevaluate trust relationships between domains, so that the admin of one can't infect the others.These solutions are difficult, which is why news articles don't mention them. You don't have to know anything about security to proclaim "the problem is lack of patches". It's moral authority, chastising the weak, rather than a proscription of what to do. Solving supply chain hacks and Windows credential sharing, though, is hard. I don't know any universal solution to this -- I'd have to thoroughly analyze your network and business in order to	Ransomware Malware Patching	FedEx NotPetya Wannacry
	2018-03-07 18:41:05	Technique Discovered That Can Mitigate Memcached DDoS Attacks (lien direct)	A mitigation mechanism is available for all victims who are under a DDoS attack carried out via Memcached servers. [...]	Patching		★★★
	2018-03-07 18:00:00	Here\'s how Android P promises to protect your privacy (lien direct)	Android P could give even the most ardent iPhone fans a run for their money.	Patching		★★★
	2018-03-07 17:00:03	Building an incident response program: creating the framework (lien direct)	An incident response plan does not need to be overly complicated. However, having a solid and tested framework for the program is key in the ability of an organization to respond to and survive a security incident. Categories: 101 Business Tags: gdpr General Data Protection Regulation Incident Response incident response framework incident response program (Read more...)	Patching		★★★
	2018-02-28 14:59:00	Intel Releases Updated Spectre Fixes For Broadwell and Haswell Chips (lien direct)	Intel has issued stable microcode to help protect its Broadwell and Haswell chips from the Spectre Variant 2 security exploits.	Patching
	2014-07-16 23:41:20	Foxit PDF Reader Stored XSS (lien direct)	A friend of mine was performing an external pentest recently and he started to complain that his traditional Java exploits were not being effective. He was able to map a few applications and defenses in place protecting the client's network but he still needed an initial access to start pivoting.Basic protections like AV, application white-listing as well as more advanced ones like EMET are used to make the life of criminals (and pentesters) harder, but they're often bypassed. While discussing alternatives with my friend, he told me that the company replaced Adobe Reader after seeing lots of Security Advisories for the product. And what was the replacement? Foxit Reader:Advisories for Adobe Reader and Foxit Reader listed on OSVDB (May/2014)Less advisories means that the product is more secure, right? Marc Ruef's talk about VDB management summarizes this point:The moment I head the word Foxit Reader I remembered of an old exploit I created a long time ago. The vulnerability wasn't that critical but I knew that it would fit for the situation (and for this blog post).As I was about to disclose it publicly I notified the vendor and waited for them to patch it. I had some problems with their security contact and had to mail them twice, but they answered after a couple of days, patching the product and releasing an advisory (no CVE is assigned for this vulnerability as the time of writing).Security Advisoryhttp://www.foxitsoftware.com/support/security_bulletins.php#FRD-21Fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page.SummaryFoxit Reader 6.2.1, Foxit Enterprise Reader 6.2.1, and Foxit PhantomPDF 6.2.1 fixed a security issue caused by the Stored XSS vulnerability when reading and displaying filenames and their paths on the “Recent Documents” section from the Start Page. Attackers could tamper with the registry entry and cause the application to load malicious files.When opening a PDF, Foxit creates a "FileX" registry entry with the document's complete path:[HKEY_CURRENT_USER\Software\Foxit Software\Foxit Reader 6.0\Recent File List]"File1"="C:\\w00t.pdf"Whenever you open a document, Foxit 6.x displays the start panel on a different tab by default.	Malware Vulnerability Patching Guideline		★★★★
	2014-02-18 09:43:31	Analyzing Malware for Embedded Devices: TheMoon Worm (lien direct)	All the media outlets are reporting that Embedded Malware is becoming mainstream. This is something totally new and we never heard of this before, right? The high number of Linux SOHO routers with Internet-facing administrative interfaces, the lack of firmware updates and the ease to craft exploits make them a perfect target for online criminals. The Internet of Threats is wildly insecure, but definitely not unpatchable.To all infosec people out there, it's important to understand these threats and report it properly to the media. Some top-notch researchers recently uncovered "Massive Botnets" infecting refrigerators, microwaves, gaming consoles, soda machines and tamagotchis. The problem is that they never provided any sort of evidence, no malware samples, no IOC's and did not write a Hakin9 article describing it.Refrigerator Botnet? Revd. Pastor Laphroaig says Show the PoC \|\| GTFOThe aim for this post is to provide more information to identify/execute embedded binaries, describing how to set your own virtual lab. In case you missed it, head to the first post from the "Analyzing and Running binaries from Firmware Images" series.TheMoon WormJohannes from SANS provided me a sample from "TheMoon" malware and posted some interesting information on their handler's diary. Their honeypots captured the scanning activity and linked the exploit to a vulnerable CGI script running on specific firmwares from the following Linksys routers: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000,E900.SANS handlers classified TheMoon as a Worm because of the self-replicating nature of the malware. The worm searches for a "HNAP1" URL to fingerprint and identify potentially vulnerable routers. If you check your FW and Server logs you may find lot's of different IP's probing this URL.The worm was named like this because it contains images from the movie "The Moon". It's possible to carve a few PNG's inside the ELF binary:Identifying the BinaryA total of seven different samples were provided: they all seem to be variants from the same malware due to the ssdeep matching score.	Malware Vulnerability Patching		★★★★

Last update at: 2024-05-09 14:07:06
See our sources.

To see everything: Our RSS (filtrered)